It is clear to me, that any one or two techniques to prevent spam bots is not going to be succesful. The real smart ones: can beat captcha, can beat honeypots, can beat the email verification, can beat the IP address blocking. I still got a few more tricks up my sleeve to combine with all this stuff.
Reading a real interesting blackhat article today about malforming the user agent to invalidate harvested cookies and tokens.
...I still haven't turned on the required user email validated. We may have to get an RBL service, but, just going to keep an eye on it. Can still run some pattern recognition, found that on the server itself, I can block certain nameservers as preventative.
This is seriously taking up more of my time than I had hoped, so ...sprint may run a week too long, but it is a necessity.