[n.b. This isn't me necessarily disagreeing with you, but I think a little bit of context for what we're currently doing (and why we're not manually verifying everyone as it stands) may help inform the discussion. It's mostly a statement of our current approach and reasoning, rather than saying that our current approach is perfect and immutable.]
We use
StopForumSpam to identify suspected spammers and send
them to manual verification - this, on average, catches about 1 attempted registration a day, and when I review those manually, I'm pretty confident that they'd overwhelmingly be spammers. As an added benefit, we submit our own spam data to StopForumSpam, so other communities get to benefit from our activity. This solution does catch the odd Tor user here and there, which is debatably a bad thing, but hey ho.
I also wrote a (not-so-)clever piece of code which trips up most bots. In essence, the username and password fields have randomly generated IDs, and if you submit a form with the original fields filled in, your registration gets rejected with a cryptic message. We don't keep stats on how much of an impact that has, but back when we rolled it out the difference was drastic. I suspect this still catches most bots, because few people will write custom code to autospam our forum. There are much smarter ways out there to tell bots apart from humans, and we could implement more aggressive browser fingerprinting at the time of registration, but that comes with privacy concerns that would affect real users.
You're obviously right that this approach isn't perfect. We do get spam, and more recently it's been more frequent. But the attack surface is pretty small - you need to be posting from an IP address that is not yet idenified as a suspected spammer, and you need to work around our basic bot detection (I suspect most spammers here are actually humans). I also think it's fair to say that we're pretty quick to act on spam reports and cleaning them up. I worry that if we expand these measures much further, we might be getting close to a cure which would be worse than the disease.
I think three questions need to be asked here:
- Is the current volume of spam posing a problem for real users? Does it get in the way of using the forum? This is not one I should be answering, so I'm leaving it open-ended.
- Would the work of manually approving all new members be easier or harder for mods than responding to the occasional spammer, and would we be more reliable than existing solutions? I suspect it would be more work - approving an additional 100 new accounts a month vs. deleting a couple every month. This would also mean that the approval process would have to happen more frequently. Currently, we catch 99% spammers, 1% random college students that want to ask us questions. If we put everyone in the approval queue, we have to pay much more attention to it - we'd have to moderate ~140 users a month in the hope of catching ~40 spammers. This might even cause us to accidentally let more spammers in, not fewer.
- Would we lose potential new users over this? Our original belief was that stopping legitimate users from being able to post right away would dissuade many of them from engaging. In my experience with the accounts that I do approve after they were thrown in the queue by StopForumSpam, they rarely come back if it takes a few hours to get approved. I mean, they probably weren't planning on being great members of the community anyway, but there is a balancing act to be struck here.
Letting people post in certain sections is similarly risky IMO - for a new legitimate user, this just forces them to make a certain number of posts in a designated zone before they can say what they want to say. We've considered it before, but our worry was that it would encourage people to spam low-quality posts just to access the real forum. Is that really the best thing for newcomers?