Anti-Spam System Proposal
The first feature we need is a regressive ratelimit. The fewer posts/PMs you have, the longer you have to wait between posting. This addresses the issue of a single spambot creating posts as fast as the forum can accept them (as it was in the recent spambot attack). I will also ratelimit by IP address so a spambot can't just even their spam across a bunch of accounts so easily.
For example, if an account has 0 posts, they would only be able to create a topic or post every 10 minutes. Once they get 5 posts, they can post every 5 minutes. Not sure of the numbers yet, and I obviously don't want to kill the momentum of a new user, but that's the idea. Really depends on what kind of spambot behavior we have.
Existing established users wouldn't be ratelimited (beyond perhaps a sanity-check of a few seconds to prevent double posting once and for all).
When addressing spambots, in my experience, you don't need perfect countermeasures, just countermeasures that makes things annoying enough for them to stop (if there's a human driving them). It's possible that a ratelimit alone is enough for me to re-enable registrations while I work on the following features.
The second feature is a moderation-queue for new accounts. It should be a list of the first 5 or so posts by each newly registered account. From there, mods can nuke spambots or, more importantly, promote new-but-legitimate users into full members so they can escape the ratelimit. That would make our lives a lot easier, bless our moderators who have had a very shitty modkit over the last two years.
The third feature is a general report-post/report-user system. Something we've needed for a long time but kept getting procrastinated due to our two-year lucky streak of minimal spambot issues.
The fourth feature, though more of an unlikely wishlist feature, would be a system for trusted users to vote to nuke spambots without mod intervention. Mods would simply see a feed of accounts nuked by the community which they could then reverse if there was some sort of wrongful nuking.
I'm implementing those in order (ordered by urgency) and hopefully the ratelimit alone is enough to discourage the spambots that attacked us last weekend.