The simplest explanation would be that your email account has been compromised; i.e., someone has stolen your email password. Thus, the spammer is intercepting your email, including the activation emails from phpBB, and therefore activating their own accounts.Neomorte wrote:I have set phpbb to use the Administrator activation for new user accounts. I have also added 3 different required fields for registrations to answer to help eliminate spambots. I have been getting several spam accounts created that skip the entire registration approval and sometimes don't catch them until they have posted many spam posts on the boards. I don't even get a new user account created email as I do with valid users.
Therefore, the first thing you might try is changing your email password (but you might do this from a different computer than you use normally, in case that computer has been otherwise compromised, e.g., with a keystroke logger).
Meanwhile, this illustrates a problem with phpBB3 that I've noticed previously, although it didn't seem serious enough to report as a bug: When a board is configured for Admin activation, the activation links sent to the Admins actually work when clicked by anyone--not just an Admin (so if the email gets intercepted by an unauthorized person, they can activate the account). I seem to recall that in phpBB2, the activation links sent to Admins (when a board uses Admin activation) only worked when used by an Admin who was logged in to the board. That's really how it should work in phpBB3 too.
Also, Neomorte, another thing to do on your board is implement "Post Queueing" -- technique #3 in the opening post of this thread so, even if a spammer can activate their own account, their initial post(s) will require moderator approval.