About 6 weeks ago, I began administrating a new phpBB3 board, and right off the bat we were swamped with spambots. I tried banning emails, disallowing usernames, making the CAPTCHA next to impossible for legit users to decipher (yet the bots had no problem with it), and was still spending a good portion of my time dealing with this plague and there just seemed to be no end to it no matter what I tried. It was very frustrating.
Then I did some research, and found a simple method for making it next to impossible for the bots to even register. This involved creating a custom profile field.
In the ACP, click the Users And Groups tab, then click Custom profile fields.
You should see a text field into which you want to give your new field a name, such as antispam. For the type of field choose Numbers from the drop down menu, then click Create new field.
In the Add profile field form, choose the following settings:
Publicly display profile field: No
Display in user control panel: Unchecked
Display on registration screen: Checked
Required field: Checked
Hide profile field: Checked
In the field Field name/title presented to the user:, give the user instructions, such as Enter the first and fourth digits from the following:
In the field Field description:, enter a string of numeric digits, at least 4 digits long.
Click Profile type specific options.
In the field Length of input box:, make this at least as long on the number of digits you are asking to be given.
Set both the Lowest and Highest allowed number fields to the value required for the user to type, thereby only allowing one correct response.
Set the default value to some value other than the correct response.
Now, when a user inputs the wrong value, an error message will tell them the response is incorrect, and it will give away the correct response, so you need to edit your language pack to change the error message.
1. Click the System tab.
2. Under General tasks, click Language packs.
3. Under the installed language packs, click American English (or the default here).
4. There is a drop-down menu under Language entries. Choose ucp.php and click Select.
5. The field FIELD_TOO_SMALL will say "The value of “%1$s” is too small, a minimum value of %2$d is required." Edit it to say "The value of “%1$s” is incorrect."
6. The field FIELD_TOO_LARGE will say "The value of “%1$s” is too large, a maximum value of %2$d is allowed." Edit it to say "The value of “%1$s” is incorrect."
7. Go back up to the top of the form and click"Submit and download file", then click "Submit and upload file".
8. Purge the cache.
I did this 3 days ago and have not had one spambot get through. I was able to remove the CAPTCHA altogether from the registration process too.
I have the User registration settings set to User, which requires the user to have a valid email and to activate their account by following the link sent to them.
Under post settings, I have:
Enable queued posts: Yes
Maximum post count for queued posts: 1
and this makes it where a registered member has to have one moderator approved post under their belt before they are able to post without approval.
Now I prune inactive users who have not activated their account within a week of registering, and this list is getting shorter and shorter as no new bots have even been allowed to register.
I hope this helps!