Support

I would be extremely cautious with the use of the word "obvious". Your human intuition tells you that this is "obviously" a fake email address. Your human intuition is a fine mixture of fuzzy logic (common sense), complex learning algorithms the science hasn't cracked yet (learning), an immense data set (experience) and probability, all housed in a 49W hyper-efficient data analysis megaprocessor called "the human brain". Scientists have been trying for decades to figure out how it works and are still many decades behind. Even a mundane task, occupying less than 10% of our all-purpose brain, playing chess, requires a warehouse-sized megacomputer, built specifically for this purpose and which also requires some human assistance to beat another human. Think about it. What you are calling "obvious" would require a warehouse-sized computer to deduct. Ergo, it's NOT obvious. For the record, that email address conforms to the RFCs defining email address formats. The name of the user consists of two words. There are no invalid characters. This user is most likely a spammer, based on our intuition, but it could be a stupid 15-year-old who thinks having this kind of crappy email and username is "133t". Are you still insisting on "obvious"?

That said, you can do a few things so that such users either don't register or never become active:
- Enable the registration activation emails (enabled by default) in Global Configuration. Moreover, enable the non-activated user cleanup in Admin Tools system plugin to get rid of the users who tried to register but never activated.
- Enable the Project Honeypot integration. It's free and easy. It will block the IPs of known spammers and hackers, a very desirable feature.
- Enable the CSRFShield and set it to Advanced. Most spambots will fall into the trap. On the downside, some search modules and other AJAX-powered extensions on the front-end of your site may stop working.
- Enable the Bad Behaviour filter in Admin Tools, but be ready to have some serious issues with your legitimate visitors. Bad Behaviour is very powerful, but it's overly eager to throw people out.

For the record, I used to have 100 such registrations per day on this site. After enabling half of these features I mentioned, they are now about 20 per day. Out of them, only one every 1 month activates the account and only 1 every 3 months manages to spam the forum before it's terminated with extreme prejudice. I think that's a good score, no?

I understand the problem. I really do. Me, you and all the millions of website owners.

1. You can do manual filtering, as you do now, but this is wasting your time and has dubious effectiveness. You can send activation emails which is a very common practice among thousands of web sites (guess why?) and has 99.9% effectiveness against spambots. Or, you can use a CAPTCHA but be prepared of many people not registering because of it. Especially about the latter, I've many times come across CAPTCHAs (even ReCAPTCHAs) that were so damn illegible I couldn't read them even after loading the CAPTCHA 5 times. At least one company has lost my business because of this kind of stupid CAPTCHA.

2. Find the Admin Tools plugin ("System - Admin Tools" plugin) in the Plugin Manager. Click on it to edit it. (or, alternatively, just click the "Scheduling (via plugin)" button in Admin Tools). Scroll all the way to the bottom. Find the "Delete inactive users" and "Delete after this many days" options.

3. Project Honeypot fights spam, doesn't cause it. If the provider of your blacklists can't figure that much, he's a moron, a douchebag and an entirely incredulous source for blacklists. I'd personally stop using this kind of stupid blacklists.

4. I told you, it has some downsides. So, CSRFShield is a no-go for your site.

5. That's good. Even if a spammer registers, he'll have a hard time spamming you.

6. Never tried them, to be honest, as I never saw the need. I'm pretty happy with having to remove only 1-2 spam messages every few months :D

The problem is really NOT with the free email providers. Do you have any idea how easy and cheap it is to set up a low-cost domain name and send spam from it, with a validating email address? You'd be amazed. All you need is a DNS solution (Amazon Route 55, anyone?), an ADSL line and a Linux box. Don't hold a grudge against free email providers. They don't enable spamming or make it easier.

Having a crapload of blacklists on a mail server is not such a good idea. I'd personally trust infinitely more a "learning" spam filter, such as Spam Assassin, than any blacklist. Why? Blacklists are, by definition, outdated the moment you download them. Spammers download them too, you know, figure out if they're blacklisted and hop to a different email address/domain/IP address. Moreover, blacklists usually block legitimate emails. Two examples:
- A month ago I got an email for an angry client, claiming I am a fraud because I haven't sent him his invoice for 3 months. I had sent him his invoice 2 months and 17 days ago, via email, as a PDF file. His blacklist considered my email address spammy and refused to deliver the file to him.
- For the last two weeks I am receiving an email every few days from another client (I think) who's requesting a quote. Unfortunately, he doesn't send the email from the mail address they used to subscribe, doesn't mention a username and their moronic blacklist doesn't allow ANY of my emails to reach them (and I tried several sender addresses). They probably think I am ignoring them and I expect an email telling me that I have awful service and they'll never buy anything from me again because I repeatedly ignore them.
In both cases my emails were returned to me with an error message, clearly stating that my email and/or IP was blacklisted (hint: I am using Google Apps so that I can archive and search my 4Gb of emails when people email me, referring to our communication from 12-24 months ago). So, there you have it: SCREW BLACKLISTS, they're dysfunctional.

We could go on forever with these arguments, but the point is that we can not fight spam emails. We can, however, fight spam on our sites very effectively:
- Require activation emails. Spambots can not process it and it doesn't make sense from a spammer's perspective to do that. It's slow and they make money based on volume of spam delivered.
- Don't use CAPTCHAs; they're broken easily (MechTurk jobs pay off big time) and they simply annoy users.
- You should never allow unregistered users to post content. Ever.
- The web application should have CSRF protection built-in. Joomla! does a very good job at generating a token. A clever developer can make it so that his forum software rotates the token on each page load and checks it when someone is posting content. This makes it 10x harder for spammers to post spam, as they have to precede each post with a full read of your new post page, making it inefficient and cost-ineffective for them (they don't make money anymore, so they'll leave you alone). To the best of my knowledge, most forums don't offer that.
- Use mod_security2 on your Apache. It will offer flood protection. Again, the spammer will have to be very slow to spam you, therefore not making money, therefore he'll leave you alone. Likewise, a forum/comment system with flood protection works equally fine.
- Use the Bad Words filtering in Admin Tools. Amazingly, spammers seem to use the same subset of uncommon words for a period of 2-6 weeks. So, once you get spammed you have some uncommon words/phrases to feed the Bad Words filter.
- Use Project Honeypot integration. It stops a lot of lowlifes. If you read PH's website, you'll see that the method they use is very smart and very effective. Well, it works perfectly for me!
- Bad Behaviour is a big help against spambots. Spambots often use behaviour which is non-standard for web browsers, making it quite easy to stop most of them dead on their tracks.

Some spam will go through. It's not unconceivable that someone will employ flesh-and-blood humans to go through anti-spam measures. However, this is very inefficient, very rare and easy to combat once spotted.

And, no, there is no such thing as a fool-proof anti=spam method other than tracking down spammers and sending the police knocking down their doors. The more that happens, the less spam we'll see. That, and educating lusers to not fall victims of spam. That is why spam still exists and the hardest cause to combat.

He he! This is the kinds of posts I write after a much=needed 12hr sleep and a ton of caffeine in my blood stream ;)

Regarding edits, you may have noticed that I've removed the ability to edit your posts since six months ago. That was the reason. In the new support system I'm baking up, I plan to include the ability to edit your post only 15 minutes after posting it and have it send a notification to subscribed users. I bet that'll be enough to deter below-the-radar spammers.

FWIW, virtually all developed countries have pretty strict laws regarding spamming and hacking. The problem is not the lack of legislation, but the difficulty in tracking down the origin of the spam/hack and the improbability that even then it can be tracked down to someone who's on a jurisdiction which allows extradition or, at the very least, punishment.

And, for the record, if anyone gives me hell that I don't reply to their emails, when it's just their blacklist/spamfilter which doesn't let my replies pass through, I'm going to be bill 200 Euros. That's my minimum consultancy fee and that's what I am expecting to be paid when I spend two hours trying to work around someone's spam filters to answer their damn email. ;)

Side note: Ever since my business email is being handled by Google Apps, I have only seen 2 spam emails landing in my inbox. That's 2 emails in over 2 years, with 200+ legitimate (and 300+ spam) emails per day. As I said, a "learning" spam filter is the best solution. And Google, oh boy, do they have data to feed their spam filter! Millions upon millions of emails and hundreds of thousands of users every day marking emails as spam or ham when the filter misfires. I don't think anyone can beat that.