I am aware that the system does not block 100% of the unsolicited sign-ups, this is because the 10-20 registerations per day are most likely done without automation. I have several sites in which I’ve studied this behavior extensively and I can conclude that most likely you do have one person trying to create accounts on your site using a system of web proxies.

Super-CAPTCHA was only meant to stop the automated signups, which from the tests I have run, it has done very well. But it is impossible to block signups from people that are intentionally trying to create blogs for link inflation.

I would suggest seasonal moderation, meaning when the spam picks up, turn on moderation, when it dies down, turn it off. The reason we’re suspecting these attacks are indeed human is because no matter what anti-bot method or system that is being used, these particular people are able to bypass it 100% every time without failure which is not bot-like. Furthermore these signups happen within an hour of each other (or 4-5 at the time) which is consistent with a human being actually creating a few sites, then moving on to another site to create sites there as well. Again there is no way to stop these types of sign-ups, however removing the CAPTCHA system could have catastrophic results if your site is targeted by bots. There is a back-end tool that lets you see how many people have failed the captcha test, I’d recommend looking at that and seeing what the accuracy is of the system currently.

As an example, on vraul.com (our test-bed for WP-MU) the system blocks approximately 2,000 (always more than 1,500) per day. However there are 10-20 per day that make it through the system. This is 99% accuracy in blocking spam.

You can furuther secure the system if you would like by forcing the CAPTCHA test on the logins. This will keep the real registrations with automated posting from being able to log-in and post.