In order for Question and Answer to be truly effective, you need to have dozens of questions that are specific to your topic. If you only have a few then it is easy to code a bot to look for a specific string and provide the answer. Math questions are the worst to check for a human on the other side. For the best human verification, you should use Recaptcha 2 from Google. This has millions of combinations used to check for human activity and the challenge is constantly changing.

You might also look for an addon that integrates StopForumSpam into vBulletin 4. This will check against a database of known spammers.

Beyond all this and due to the fact that you have addition required fields on the profile, it would appear that you're getting hit with human spammers. It only costs pennies per post to unleash an army of human spammers on a site.

However, to ban .top email addresses from registering you can go to Settings -> Options -> User Banning Options and enter .top (or whatever domains) in the Banned Email box. Note that it will ban all emails with .top in them if you use Aggressive Email Banning (another option on the page). Not just those using that tld.

No there's no special vulnerability to vB 4.2.5.

All forums, indeed all websites get spam and it seems to increase around the holidays when they perhaps think webmasters will be less vigilant.

A recent trend is to spam via the contact form. Annoying.