Please. Captcha by default. Email domain filters. Auto-block federation from servers that don’t respect. By default. Urgent.
And yes, to refute some comments, this publication is being upvoted by bots. A single computer was needed, not “thousands of dollars” spent.
I’m not really enthusiastic about email filters either, from a privacy standpoint. Plenty of companies that go harvest email addresses to link identities to activity. And even if the instance admin isn’t doing that, it’s one more thing that someone could break into a server and swipe.
If the CAPTCHA can’t handle it, then it ain’t doing its job.