Hi,
I have mentioned that there is already a post writing about the new user spam problem. This post is for some possible solutions I'm using, and how we might fight back.

  1. The simplest solution is adding a captcha, it's recommended to hCaptcha if you want to face people all around the world (in some countries and regions, google captcha is not available).
    My website haven't received any spam after I installed hCaptcha.

  2. The attacks are mainly from IPs below (welcome to add, if you were attacked by other IPs)

109.248.142.244
45.84.176.71
185.181.247.45
46.8.106.113
109.248.12.225
109.248.13.177
46.8.16.26
Many more, I'll add tomorrow using my PC, instead of my pad.

These IPs are all from Moscow, Russia. Another possible solution is that we make a list of these IPs, and then block them. I've already established a Github project for the list of spam IPs, welcome to pull request.

  1. Although it's not recommended, but we may fight back. I've made nmap, and Nessus analytics on these IPs, they are all used by machines in a LAN, in another word, they are using a single DDNS, or NAT service to connect to the internet. Thus, DDos them won't harm the innocent machines. However, it's never recommended.

  2. (Just a little advice/idea) Is it possible for the next version of Flarum to contain a build-inside captcha with permission system, I've wrote a build-inside captcha in a single-page php before (https://github.com/Aurorum-Studio/captcha), but it was for another project. I think it won't be very difficult to migrate to Flarum, but I don't have time to do so recently.

Wish all the best,
Xavier

Addition: Some possible negative effects after being attacked, and how could we solve them.

  1. The email of the website may be marked as spam in some email systems.
  2. People who own the email may not be able to register.
  3. The reputation of the website may be impacted.
  4. (It looks like, but could not be checked.) The attacker is using an email list breached from Twitter last year.
  5. The server of the website would suffer the spam.

Possible solution (I didn't try it yet, just concluded from a previous discussion) :
Use FoF User Directory extension to delete spam users.

Your 1-3 are why I never enable automated e-mails in the first place. E-mail automation is an atrocious idea. If you ever get on a blacklist, it will take years and most likely some de facto bribes to clear a domain. That's probably why 99% use google, aws, and other centralized billionaire mail services that cannot lose rank due to being the dictator.

Instead of contributing to an ever more bizarre dystopia, how about we scrap greedy 3rd party data-krakens, and do what has been done since phpBB v1: homemade, creative CAPTCHAs? Offline, no cloud bs, user-friendly. Bonus points for making them keyboard/screen-reader friendly.

Everything can be botted, but having a variety of random ones surely stops 95%, because it's too annoying, and the mass bot crap is not targeted.

It could even be a community 'thing' to come up with new, fun ones.

Other than that, manual user creation after manual verification by mail makes sense to me. A BB is not meant to be real-time, zero-attention-span anyway. Genuine users can wait a day or two for a new account. I've asked how to do so here .