Support

What you consider "uanuthorized" user registration is actually proper user registrations done through Joomla!. Someone goes to the user account creation page, fills in the form, receives the email validation emails, visits the activation link in there and the user account is activated. From where your site is sitting there is no telling that this is a "Russian spammer" (something which you determine based on your arbitrary criteria). Please note that Joomla's registration page can be reached without a published menu item. This is by design in Joomla. It's what allows login modules to have a link to create a new user account.

If the "Russian spammers" do NOT follow the activation link in the email, i.e. they are indeed spammers, the user account created is not activate. You can go to Extensions, Plugins, System - Admin Tools and set up the automatic deletion of inactive user accounts. This is why this feature is there. Please do keep in mind that inactive users CAN NOT spam you in any way; they can not even log in.

If you do not want any new users to be created you can simply go to Users, Manage, click on Options in the toolbar and disable the user registration by setting User Registration to None.

If you want to block certain email domain names from registering you can set them up as Bad Words in Admin Tools. Remember to enable the Bad Words filtering in the Configure WAF page.

If you want to prevent anyone from Russia to access your site you can use Admin Tools' Geographic Blocking feature. Please note that this is not an absolute protection. Geoblocking can be trivially circumvented by using a VPN or proxy server with an IP outside the list of countries you are blocking.

In any other case you have to convert your "Russian spammer" gut feeling into actual rules you want to be followed. What makes someone a Russian spammer? If you say "their name" I will tell you that not all Russians are spammers and not all spammers have Russian names, so how exactly do you believe a name can be a sure indicator of being a spammer and also how do you determine a "Russian" name. Is it their country based on their IP? See above. Is it their email's domain name? See above. Is it a user with a name and email which doesn't "sound Russian" but posts content in Russian? Tough, there is no way to block content based on language since there is no open API which can determine the language of posted content (even though we could integrate with something like Microsoft Cognitive API you'd end up paying thousands of dollars per month to use that API since all requests to your site would need to go through it AND it'd slow your site to a crawl). In this case you can simply use Bad Words filtering to block common Russian words. If it's just your gut feeling that certain users are "Russian spammers", well, computers don't have guts or feelings.

So, to answer your question in simple terms: you have a badly defined problem; as a result you have not configured Admin Tools to deal with it (defining the problem is a prerequisite to solving it). Try defining the problem as very specific parameters which can be checked by a computer with absolute certainty and then configure Admin Tools to prevent access to your site based on these parameters.

The hard part is converting your gut feeling into actionable parameters. This is highly dependent on what your site does. For example, on our business site -the one we're having this conversation on- we know that if you're not a subscriber (belong to specific user groups) your only spam target is our Contact Us page and the Pre-sales category. This reduces this issue to deleting inactive user accounts of people who have never been subscribers after a couple of months and using Bad Words to block requests with known spammy content. We get two or three spam messages through every year but we have established that trying to catch these results in false positives which are detrimental to our user. On this site we can't block anything Russia-related since we have Russian clients (same goes for any other country, really) and we can't turn off user registration since that would obviously make it impossible to sell subscriptions. On my wedding site I have disabled user registration altogether because I am manually controlling who gets access. On my blog I use Bad Words filtering and Project Honeypot integration to keep spammers away. I do get some spam, then I update my Bad Words and it goes away. There is a bit of upkeep but I would be lying if I said I spend more than 5' a month on it, so it's not that bad. In every case I defined the same problem as a different set of parameters based on the context of the site's functionality and configured Admin Tools accordingly. I hope these examples give you some ideas.