The continuing saga...
I have gone back to the normal system registration page, removed captcha from the form and stopped using the regex filter. I've left the web.config "ctl=register" denyquerystringsequence string and simply set the registration process to validated.
I also deleted all the spam users so probes using the userID fail.
The problem I have now is thousands of hits from the Bot trying to get in that are clogging up my event log and making normal error tracking unneccesarily difficult.
The probes follow similar patterns, using a userID or calling the register form directly but putting them in the denyquerystring area does not seem to stop them and I don't know what(if anything) to put in the filter
One common one is
As I've deleted that user, all it generates is a general exception.
I tried adding a denyquerystring sequence
<add sequence="UserProfile/tabid/324/userId/5066/Default.aspx" />
But it didn't stop it. Maybe I misunderstand the URL rewrite process.
Has anyone had this problem?