Thank you, Mark. I did mention I wondered if the sign up box on my website was the cause, it sounds like it was a major factor. I am happy to remove it from my site if it would help and just provide a link to the group's homepage, but hope your actions today will largely resolve the problem.
I did clear out over 100 pending members this morning and am at 25 new ones so far today (not including those we approved today and those I rejected during the day because they were so suspicious-looking) so it is slowing down already. So I don't mind waiting for the revised embedded form until you are back from your vacation if it's easier for you. Have a good trip.
I spent the last few hours investigating this. Here's what I've found and what I've done so far.
I went through a bunch of the NC pending members in Helen's group to see what was happening. There are around 25 NC people pending for her group, just in the last day. All the ones I checked had registered on the website. The email addresses are mainly gmail and yahoo. The addresses all appear to be valid. The IP addresses of the machines do not appear to be concentrated in any one area/service. The actions do not happen with a speed that would trip any reasonable rate limiter.
All of the signups I saw in the logs were the result of websites that had embedded the Groups.io signup form on their site (this is from the Promote page under the Admin menu). It appears that there is a crawler that goes around looking for sign up forms and inputs email addresses. It does not appear to be targeting us specifically. Our sign up form has some protection against crawlers, but clearly not enough.
I'm going to be a little vague here, but I've done a few things that should cut down on these bogus joins, at least in the short term. One of the things is that I updated the IP blocklists that I use to prevent connections from some parts of the Internet. I hadn't updated these lists in awhile; they were definitely out of date. That will take care of some of the bogus joins. I also did some other things that will block the majority of others, at least for now. I have no illusions that these actions will permanently solve the problem, but at least they should give some temporary relief.
It is clear that I need to harden the signup form some more against crawlers. And once I do that, people will need to replace the existing embedded signup forms with the new one. I will work on that the rest of today and try to get it out on Monday before I leave.
Longer term, I think we'll have to look at the idea of making people confirm their accounts before they become pending members. But that's a conversation for another thread.