I have been getting hundreds of spam registrations to my Drupal 7.x site for the last 4 months. The site has been set to:
Registration and cancellation > Who can register accounts? > Administrators only
for the entire time, so I venture to guess this was introduced 4 months ago (i.e., the site has been operational since early 2012, spam registrations started 4 months ago). Viewing the changelog for Drupal 7.19, it does not address any issue like this, so I would imagine this is still a hole in my installation.
As far as I can tell, they can only register, but the accounts all appear to be blocked, but they shouldn't even be able to register according to the setting above.
Let me know how to escalate this or report this in a more "correct" way.