Let me make this crystal clear to everyone:
With regards to the forum:
Every single time there is a spam post -- ABSOLUTELY EVERY SINGLE TIME, NO EXCEPTIONS -- administrative action is taken to ensure it doesn't happen again. This does not mean we just delete the account + posts and continue on our merry way. There are other things being done (manual actions I personally take every single time, again, no exception) to stop this from happening which I cannot/will not disclose. The reason I won't disclose them is because the spammers read English -- human beings are creating these accounts, NOT software/robots. The less they know about our methods, the better.
If anyone feels the forum now has more spam than it used to, I will be more than happy to remove all of the methodologies we have in place and let you experience the result. I can assure you that within a week you will have hundreds of posts, possibly thousands of accounts, with every thread on this forum with spam in it.
Because human beings are involved, things like captchas, "technical questions", mathematical questions, etc. absolutely do not work because the humans are capable of reading English. I can talk more about this in detail if people want to know, but all you need to know is that there are companies -- dedicated, fully-staffed companies -- in foreign countries which do nothing but create accounts on forums/wikis/etc. all day long and then sell those account credentials to bidders, or are hired by bidders to do exactly that. This is what commercialism and capitalism has brought the world.
With regards to the Wiki:
The aforementioned methodology for blocking the spammers on the forum is not applied to the Wiki. All we do use is the built-in mathematical question during account creation (as a form of a captcha). Let me explain why this is in place:
When we recently upgraded the Wiki, I disabled all forms of captchas because I was told it more or less didn't matter since only manually-approved accounts had edit/write access. Seemed logical to me. However, within about a week of the upgrade, I started receiving boatloads of "bounced mail" messages from the webserver specific to the Wiki. A quick investigation showed that the spammers were signing up using automated software, and were shoving randomly-generated Emails into the Email field during account creation. For verification purposes, the Wiki sends Email to this address and asks the person to verify.
So what was happening was that our mail servers were spewing mail to these invalid addresses, resulting in bounces, which I get copies of. In effect, the spammers were using the account creation form to hit Email addresses "for the hell of it". Really. It's completely 100% impossible for them to sign up for an account and somehow "insert content into the body of the verification mail" -- instead, these are just robotic scripts that are going batshit crazy creating accounts and resulting in Email storms. Nor would THEY ever get a copy of the bounceback, so they'd never know if the Email address they generated was legit or not. I do not understand the reason for this, but I really don't care why -- obviously it's unacceptable. Furthermore, disabling mail bounces is not an option -- we have actual people who use our mail servers and rely heavily on bounces for legitimate reasons ("oh crap I typo'd my mum's Email address").
As a result, I turned on the mathematical verification requirement, which appears to have completely stopped the Email bounceback situation. However, either humans or software are obviously able to do simple math, thus accounts keep getting created. Meaning: the spammer is creating an account with an Email address they have access to, so they get a copy of the verification mail, click the link to verify, then proceed to try and edit the Wiki to spam (and find they cannot because we only allow edit/write access to accounts which are pre-approved). At least I'm not getting bounced mail.
The problem I have with enabling something like an image-based captcha (instead of the mathematical verification) is that it's more intense on CPU time, and if a human is doing the account creation it solves nothing. And many image-based captchas are fucking annoying anyway -- I cannot tell you how many times I have signed up for an account somewhere and have been completely unable to read the captcha text because it's so horribly skewed/noised/buggered.
It might be worthwhile for me to apply the same methods to the Wiki as we use on the forum (and this is not difficult to do, nor does it make my life more complex), but the Wiki isn't something I keep too close of an eye on.