Hi we have just noticed a bunch of Nigerian spam accounts in our email system. Now, we do have a reCaptcha in the signup form but apparently they circumvent it, manually or otherwise. It seems like a semi-manual circumvention since the accounts aren't created in bulk but instead as a steady stream with a few minutes in between.
Since most of the spam accounts were created by IP addresses from Nigeria, we have just set up some simple IP filters over a couple of pretty broad IP ranges and that seems to be working for now. However we would like to make a more permanent solution to this problem.
The most reasonable improvement we are thinking about is to change from using reCaptcha to use a textcaptcha in danish. This might make it hard for a Nigerian to manually enter the answer since he would have to learn Danish or search the web for an answer. However, I would like to know if you have a better suggestion or maybe just alternative or additional screening methods we could implement.
The best approach that I know of is requiring verification via SMS. It's very easy for you to detect that the same phone number is being tried more than once, and it's reasonably difficult to have a large number of SMS-capable phones.