My forum was registration-spammed a few months ago using aliased email addresses.
Activation reminder emails were also sent, doubling the number and sending a total of around 1000 emails in a very short time.
I was advised to enable the normalize emails setting. The default state is enabled and was never changed. The admin actions log confirms that.
Should this setting have prevented this abuse?
To ensure the normalize emails setting was working, I tried to register manually using an existing email address alias, and the account creation was blocked since the email address was correctly detected as already used.
I also tried to register with a non-existing, non-aliased or aliased email (I tried both), not activating this new account, and tried to register again with the same address, + aliased, to ensure there was no flaw if the existing address was on a pending account. The setting also worked in this case.
I’m puzzled because someone successfully executed these spammy email-aliased registrations, seemingly bypassing the normalize emails setting. 
I noticed this spam issue with the same email addresses on two of my Discourse forums (on the same day), both of which have always had normalize emails enabled and never disabled.
I believe it is a timing thing and those spam emails were created before the setting was made default enabled and your forum updated.
you should be able to just bulk delete those remaining spam accounts.
Thank you very much for this information. It would be great if the information of a setting change due to software update were mentioned somewhere locally (I mean, on our own forum) since it doesn’t appear in the action staff logs - which is understandable as it’s not a staff action. Or maybe it was mentioned somewhere, and I missed it.
Anyway, the important thing here is that my worries are gone and I’ll sleep well tonight 
