Confirm that the right file's being used.
as you will have seen...this incredibly obvious step was one I missed. (the architecture of the directories is a little illogical - I didn't set it up).
Confirm that the spam you're seeing is actually forbidden by the settings (eg, is it from logged-in users already existing?)
I've deleted all users in php admin that I didn't know.
I notice that Firefox doesn't allow people to type in a log-in though....
I can now create users in php admin? I will have to look into it...(I'll try not to post more daft questions...)
thanks for getting back so quick.