Hi Auge & all,

@Alfie: As first, thank you for your IMHO clear and understandable description of the situation.

Welcome!

One as a forum operator is not able to distinct between a silent reader or lurker of the forums content or a spammer who hits the forum after a siginificant amount of time after the registration. In the second case it happens often with several to hundreds of entries within a few minutes [3] and one will only know then, that this is a spammer.

For your last case I would say one will know that this is a bot. As you noted [3] happened to me once in 14 years and was the reason to opt for ZBBlock.

[Edit]
Insight of the last ten years:

I had 1.2 registrations / day. In September 2012 I faced a wave of “fake-accounts” (16 / day) and installed ZBBlock in November 2012 which brought the number of registrations back to 1.2 / day.
In February to May 2017 a wave ZBBlock couldn’t handle (11 / day). After that better (2.4 / day) but twice of what I had before. The circles are true spammers.

Since June this year:

In mid July I changed to TLS and had to deactivate ZBBlock which increased the rate to 8 / day. On 19 October I implemented my AlGore rhythm
  regex for known spammer names (I keep a local file) →
  local copy of SFS’s bannedips.csv →
  remote query of SFS (IP) →
  remote query of BotScout (e-mail),
where “→” means that if no match is found, proceed to the next step.
This brought the rate down to 0.9 / day. Note that I don’t have the time limit of fast registrations in place yet. I expect that it will bring the rate down to zero.
The one true spammer I had on 27 October was reported to SFS’s data base ten minutes after the registration in my forum and still is not in BotScout’s data base. Can happen, of course.
[/Edit]

According to my server-logs it takes humans (yep, and the true spammers as well) about one minute register.

I had 71 spam posts this year from 13 (mis)users. I’m pretty sure they were human because

• it took them 1–2 minutes to register,
  
• posts were made 1–7 minutes apart, and
  
• posts of the same spammers were similar but not identical (looks like copypasted from somewhere).

One posted even in different categories. IMHO, no bot would do that.

I’m considering to throw a nice

exit(header("HTTP/1.0 403 Forbidden"));

if the registration takes less than one second – and switch off all other filters

That seems to be an adequate replacement for the not working checks but I see one problem with (only) it. Forum operators without "our knowledge" will ask why captchas got removed and will demand the reimplementation of captchas …

Well, we could keep it. Doesn’t hurt. Only an annoyance for legit users. If an operator had it in the past, his|her|its users were used to it.

… and further actions.

What else?

While there is no enjoyment in explaining the uselessness of captchas again and again, I would not count alone on timing checks but find it useful to side the action with further procedures like checks against local copies of lists of banned IPs and e-mail-addresses from providers like Stop Forum Spam.

In mlf2.x we have the option to query SFS. OK, why not, though given what I observed in the last month I would say it’s a waste of time.

Problem here may be forum hosters, who forbids script-based requests to other, foreign servers.

I see. But: AFAIK, here we never got a complaint in this respect of forum maintainers.

Why not keep everything as it is and add an option “block speedy registration” to the forum settings?

Too lazy to look up the mlf2.x script. In my register.php after the line which deletes inactive accounts:

  $time_start = microtime(true);

and before SFS and any other anti-spam measures:

  $time_end = microtime(true);

Finally just before the new user will be accepted (inserted to the data base, activation e-mail sent, etc):

  if ($time_end - $time_start <= 1000000)
    exit(header("HTTP/1.0 403 Forbidden"));

BTW, I made a strange observation. With this header I got either the browser’s default “Access denied” page (Chrome, Opera, IE/Edge)* or an empty page (FireFox, Safari, SeaMonkey). OK, bots don’t care and go somewhere else but I don’t understand why I don’t get this error page though in my .htaccess I have

ErrorDocument 403 /hterror/403_forbidden.html

Other error-directives are observed. This one

  exit(header("Location: https://forum.bebac.at/hterror/403_forbidden.html", TRUE, 403));

doesn’t help. I don’t get it.

Try it in you preferred browser:

• Variant 1
  
• Variant 2

––
* Actually the source is also empty. Do the others have no “internal” 403-page?