Alas, problem has returned. I noticed some issues a few weeks ago with bogus accounts, so I deleted the 50+ bogus accoutns and then quickly installed emailconfirmationregistration. But today started getting a bunch of email bounces for account confirmation stage, but nobody waiting in the confirmation queue.
They are successfully injecting bogus accounts into the system. It looks like "they" have so far injected 26 bogus accounts into the Users listing.
I have both recaptcha setup and working, and collective.emailconfirmationregistration. They both seem to work when I test them, but somehow something is getting past that process?
So far only one of the 30+ sites in that Plone instance are showing this activity.
Version information (running on CentOS 7)
Plone 5.1.4 (5114)
Python 2.7.14 (default, Jun 26 2018, 10:14:38) [GCC 4.8.5 20150623 (Red Hat 4.8.5-28)]
PIL 5.1.0 (Pillow)
Example bounce message (half dozen and counting so far today):
From: RPG Research Website firstname.lastname@example.org
Subject: User Account Information for RPG Research - Studying the effects of all role-playing games and their potential to improve lives.
Date: Fri, 08 Feb 2019 16:31:01 -0700
Welcome Luther Aslatt, Your user account has been created. Your username is Luther. Please activate it by visiting http://www.accessiblerpg.com/rpgresearch/passwordreset/7c1f2e6b093e4214be850c86b109bef1?userid=Luther Please activate your account before Feb 15, 2019 11:31 PM
With kind regards,
RPG Research Website