Whether the spammers are from a prior version or not is of no concern. Spammers can easily get a registration from the old or new system since their registration process is manual and they can pass the image verification request at registration.
If I m reading this correctly....
They are getting around your security as it is now. Well then adding it to login too is not going to help as they can get through that too.
Ban their entire net block through .htaccess and that will stop them from using that net block. You can ban their entire country that way if you like.
