Ok guys, I know I'm not the only one having a problem with splogs. I've installed both captchas and security questions. (see: http://bitfreedom.com/wp-signup.php). And today I go onto the site to see... why I have no less than 9 splogs! And one of them has an email domain that I've listed to block!!
So I think, "I don't know how they do it, but I need to start blocking their IP or something." I go to my Apache logs and grep for one of the user/blog names, and not quite to my surprise I don't find it. In the back of my head was always the idea that they must know what kind of HTTP request to send in order to bypass my checks, but I figured someone would have fixed that by now.
So obviously this is what is going on. No amount of captchas or other techniques are going to work if there is a way to get wpmu to register a blog simply by POSTing some variables to the right URL. I did look at the wp-signup.php file and it's a bit complex, but certainly someone here knows how to quickly find where it test (if it does at all) the input variables.
Anyone?