spammers, bots have figure out how to crack the "identification" codes (the visual code you enter when creating an account)
some php folks use another question to "reduce" the number that get in.. no matter what you do though, the spammers will get in occasionally, you just delete them and ban the domain (usually)