I doubt it would help much unless we required a 2FA auth cycle for every single edit, which I for one wouldn't stand for. Reasonably user-friendly policies like one auth a day would still be plenty easy for spammers too. (They've got phones too ya know.)
Bummer, o.k. Although it seems that spammers only go after easy targets.
I dunno. I was astonished that they came back a second time after we'd once thrown them off and cleaned up the mess; you'd think they'd realize that that would just happen again. I think it may have been an intentional attack on the PG project as such, not just drive-by spamming. (If so, and if the goal was to complicate our lives, they succeeded.)
Or maybe I'm just too paranoid.
Hrm, do we have the IPs that they were coming from? Were they from a specific block? Or GEO region? I hate the idea of blocking login from a region but it may be an unfortunate reality.
The majority was from India, but not all. Most of it was from what looked like typical residential or small business DSL connections. Some also originated from USA. Those were the only two sources I saw when I looked back then, but we had a limited number of attempts logged at that time.