Please. Captcha by default. Email domain filters. Auto-block federation from servers that don’t respect. By default. Urgent.
And yes, to refute some comments, this publication is being upvoted by bots. A single computer was needed, not “thousands of dollars” spent.
Yes, captcha is the default minimum that should be implemented.
Also reasonable is to log account creation with IP and timestamp, which allows retroactively remove offenders if patterns occur, or [more easily] determining if 500 account signed up within 5 minutes from a single IP.
While kind of a pain, but fairly efficient: require a phone number with text verification to enable an account.
Yes I know there’s ways around each of these, but it makes it much harder to spin up many accounts through rudimentary means.