We have, of late, been plagued with bots creating user accounts on the website. At peak, these can be hundreds a day. Combatting these is a work in progress. This page documents work to date (17/5/2018).

These bots go through the entire signup process, including receiving the 'confirm you are real' email and completing the signup process from the link therein.

1. For now I have made all signups require administrator approval. This means I get a steady stream of notifications, and I guess which ones are spurious.
2. I observed that the most prolific bots use email addresses from the domains lexxip.com and wgz.cz. I have modified modules/registration/xaruser/register.php to not send mails to those domains, but otherwise act normally.
3. I experimented with hidden checkboxes. The idea is that bots blindly check boxes, and so if a hidden one is checked you know it's a bot. I found that this does trap a few, but is generally not effective.
4. I tried a visible unchecked I agree I'm not a bot checkbox. The idea was that bots would leave it unchecked. If the box was not checked, the UI would flag this as an error. Unsurprisingly, bots figured this out. There is a tension here between allowing the user to correct a mistake, and letting a bot know it needs to try something else.
5. Froma suggestion on the list, I added a text field which the user must fill in. The question is professionalism in what?. I've also been logging responses. It appears that some of these bots involve humans in the chain at some point; the most prolific have now learned the correct response.

My next plan is to add a https://www.google.com/recaptcha to the page. I wanted to avoid a captcha, but I now don't think there is any alternative.