BTW: Microsoft is the market leader for operating systems, internet browsers and standard office and email server software. phpBB is the leader for free Bulletin Board Software. The market leader position is the most important point for spammers and hackers. The vendor doesn't matter!
Just compare forum spam with email spam:
Both can been sent by programs (spam bots) automatically and by human spammers manually.
Both email sender email addresses and forum user email addresses may be faked.
For email spam you simply can check if the email has been send via the official SMTP server (DNS MX record) for this email domain or not. If it's not been sent via the offical SMTP server then at least you can put the email into quarantine or you can block it (if you are a hard guy). The phpBB3 DNS MX check just looks if there is a MX record for the email domain. I think this is okay. A lot of "good" people whom are not using a SMARTHOST in the right way are sending emails directly via internet. This is not good but it is working. So you can not block this. It's a big problem. But we can not solve it.
For forum spam prevention you can set Account Activation to User or to User+Admin (Double Activation) to force the use of real and working email addresses.
To prevent email spam you can use (DNS) blacklists and content filtering. There are some other technics, too. But these can not been used if you are communicating with private people whom are using freemail accounts, SMTP tools and so on.
The phpBB3 default dnsbl check is done in a too much simple way. And it is using a DNS blacklist (spamhaus.org) which is well known for a lot of false positives. With Advanced Block MOD
this feature has been improved and the number of false positives has been decreased to Zero.
You can use a little bit of content filtering in phpBB3 with Phils ATLBL Antispam
or with Exreactions Anti Spam ACP
. These MODs are using some kind of blacklists (databases) which are not only checking for the IP address.
phpBB users always are been told to use CAPTCHAs and Q&As for user registration and guest posting. Supporters and others always are telling this is the best way and it's the only one way. But they are saying you can not prevent human spammers with this methods. This is a big problem. In the time of phpBB2 there have been only a rare number of human spammers. But this has been changed since phpBB3 has been released. Today there are a lot of human spammers filling out registration forms manually.
You can use DNSBL check very successfully to prevent most of the human spammers. IMO this is the only one successfull way to get human spammers automatically.
What's the official phpBB answer for this problem? Make your board individually and use the Newly Registered Users group. IMO it would have been better to include (or to finish) the Double Activation (User+Admin) into phpBB3 to get nearly the same but a easier to handle result insteat. As you can see it in ./language/en/acp/board.php devs have been thinking about it. But since about four years it has not been done. Only the never ending story CAPTCHA thing has been improved by the devs for the core package. ... Double Activation still needs to install the Advanced Double Activation Pack
To prevent email spam you can block spam emails automatically e.g. with IP DNS BLs and Domain DNS BLs. But in phpBB3 (without Advanced Block MOD) you can not block user registrations or guest postings automatically. In phpBB3 the registration form and the posting form always are displayed. It doesn't matter if you are a spammer or not. You can use banning. But this feature is only usefull to fight against single annoying people.
phpBB(3) core package needs to have automatically working true blocking features included and it needs to have more anti spam features included by default. The CAPTCHA plugin system is just only one of these possible features and IMO it's more like a workaround and it's not really a fully satisfying solution.
If you are interested you can read more about these things in my MOD FAQs.
Please don't tell me again the fairytales about problems with board performance and false positives!