Outbound Spam Vulnerability

My Drupal-8 website has repeatedly experienced a vulnerability which induced it to send outbound unsolicited email.  On the account sign up page I employ reCaptcha and an email confirmation requirement.  The problem is that malicious agents are able to crack the CAPTCHA and submit bogus email addresses.  My server unwittingly sends out confirmation requests to the bogus addresses, causing my domain to get blacklisted for spamming.  Does anyone have a suggestion how to combat this vulnerability? 

Drupal version: 

Source: https://www.drupal.org/taxonomy/term/2/feed