We're currently being hit by spambots that are able to bypass our CAPTCHA. I'm not sure if they actually have an OCR script that can defeat it, or if they're paying sweatshop employees to spawn the accounts, but in either case, they're getting through.
The way the attack works is that they register several accounts, wait a few weeks, and then start sending spam, via PMs, to all non-mods and non-admins. They also like to use names like "Forum Staff" to get you to open it. The only legit CC bot account is messagebot. If you receive anything from a bot account that isn't messagebot, it's spam.
I just purged all known spammer accounts, and I *think* I got them all, but they will of course continue to create them. Please let me know when the next spam wave hits so I can purge it as well.
I'm going to implement a couple of additional measures to halt the spambots. If it becomes necessary, I will switch accounts to require admin approval, but I only want to do that as an absolute last resort, as it makes real people less likely to ever actually use their account.