User Activation is not effective a bot-prevention mechanism. There are plenty of bots that can create a new email account and use it to register. I’ve been running a honey-pot (bait) board for a bit over a month and have nothing but bot registrations, and I have user activation turned on. I have posted about this particular board on my blog a couple of times; the statistics for user registrations and posts are in the One Month Status Report blog post here:

http://www.phpbbdoctor.com/blog/2008/09/13/unprotected-phpbb2-board-one-month-status-report/

Bottom line: user activation is important, but it does not do anything to protect your board against sophisticated bots. It’s about as good as the standard phpBB2 visual confirmation in that regard. The primary advantage of user activation is, in fact, for legitimate users, as it helps make sure they don’t put any typos in their email address as they register. Bots don’t make typos.

The “one-click” spammer option that Highway mentioned does exist as a MOD for phpBB2, it just hasn’t been published yet. I wrote code I call the phpBBDoctor Spammer Hammer that performs the following steps:

1. Logs the user out (removes their information from the sessions table, if present)
2. Marks their account inactive
3. Changes their activation key, so they cannot use the “resend activation” option to get active again
4. Captures all posts made by the bot / spammer into a single topic in a hidden forum. This includes topics started by the bot / spammer and any replies by regular users to those topics.

None of the information is deleted, it is simply moved to a hidden forum. That way I preserve the evidence (such that it is) in case I want to try to take any action against the spammer.