but the spam registrations are still coming thick and fast...
I'd recommend to wait a bit before making conclusions which have no proper way. Seeing you have disabled the website address, spammer may stop the action.
As I mentioned, to protect the captcha code on the different level, you can change:
- number of symbols displayed in Captcha
- secret phrase
- set the grid to make it less recognizable
All of this helps to protect from the possible automated attack which may been "cracked" the module; despite we even don't know if it's automate.
As about the manual spam, i.e. if somebody registers new accounts manually, nothing will help you in this, except of blocking the IP address, which is also a temporary action. China spammers are unbeatable in this case. You may get hundreds of manual registrations or actions completed from different IPs in a hour. Nothing will help you except hiring another Chinese who will remove false accounts ;)
There are also few ways of improving the registration process. You may set up the email verification which in most cases doesn't work for spammers, as they should have unique and live email address to complete it. Also, when fighting the spammers, do not remove their accounts, but just block them - this will keep their email addresses in the database and won't allow to register the same address anymore.
P.S. Common... don't call 6 dollars you have paid for this a "money", please. I can't even buy bread & milk for this money. You've got the intellectual product instead.