No registration process can tell if a human is a spammer or not. It's not possible.
You are right here. Eventually, all human processes can be simulated and replicated and thus verification of humanity will eventually be impossible.
I do wonder if AIs will just spam us to death instead of outright revolting and murdering us, or maybe just doing things like mass-committing something like identity fraud on their own accord. Plus, if they're really clever, they'll have seen the movies. Murdering us directly will inevitably invoke the wrath of a gun-wielding ex-con with a mullet who will be their demise.
Checking against external blacklists and APIs has a couple of disadvantages, mainly:
- A. Part of your spam protection dies when their service does.
- B. Refusing registration attempts when the external service is disrupted prevents your site from working properly and semi-randomly denying visitors the ability to sign up will most certainly not encourage them to do so. On the contrary, not doing so opens up an unnecessary vulnerability upon the disruption of the external service, which is not really a very good thing.
- C. You're essentially giving them a carte blanche to determine who does or who doesn't get on your website.
From personal experience, when one of these external blacklists actually triggers, some other method of spam prevention my forum (Not NodeBB. Yet.) has installed generally does as well. Although maybe if they decentralized the concept, bitcoin-style (or bitmessage, or bitsomething, or bitanotherthing, you get the deal, there's thousands of there projects now) it might become a bit more interesting, as it'd invalidate two out of my three main complaints. To negate the third, there's always the possibility of clever stuff. Don't underestimate some people when it comes to coming up with clever stuff.