Matrix.org chat experiencing spam flood attacks across the federation network

I asked about blocking signups from nefarious people in the synapse admins room a couple months back - and I chuckled when the reply I got was 'add captcha?'

I thought it was a joke at the time.

I am glad the devs are working on security as a priority and other great features. However moderation tooling could be more user friendly, and the signup process could have some added layers of security added for sure.

what I'm thinking on the signups: a blacklist for ips, CIDRs, email domains, maybe hostnames, maybe countries. (With option to block all minus the whitelist)

a throttle list - more than 2 signups from this grey area of ips, hosts, tor, email addys - pause them for X number of hours/days - give notice they can ask an admin to add their [thing] to the whitelist in case you have a group you want to join from some new [place] or whatever is generating dozens from [place] this week.

a whitelist - one of my sites might have comcast hostnames for ips and emails, along with gmail, proton, perhaps.

would be nice for a GUI so moderators could add to the whitelist - and super bonus if other users above total noob level could add an email addy to the list (inviting friend).

I added 16 mill 32k ips to one of my chat sites ban list today - I don't need repeated spam from isp X when I never get any real users from that country in the first place.

Terrible spam can ruin a chat community as much as anything. When I say terrible spam I mean the trolls that like to 4ch/cp and such to test your site's moderation and capabilities.

I need to ban all the ips from a few VPNs to stop this one pesky, wealthy non-stop troll - doing it server side / iptables is meh. And looking up the ips manually sucks too - but something needs to be done.

I'd put the money up on upwork to make such a (python? module) handing these things if someone would help me write up the matrix needs to make it mix it right.

This is a need - and an option to load third party block lists from various places should be a thing too.

not sure about memory requirements and if lookup for hostnames would choke a slow server or whatever - love to get more ideas to block and stop bots and abusive folks.

maybe extra questions to answer beyond captcha when signups exceed X per hour with option to add more layers of questions and answers. (I know there is some semblence of this sort of thing baked into the homeserver.xml or whatever - and it's already a huge file to contend with - not needing more bloat, but this a need at this point)

Love to get an option to dunce (what else it is called?) - new users so they can't post X or Y (links, pics, whatever) until they have been users for at least X number of hours / days) - and maybe block anyone that was registered on 6-28/29 during the bot signup-pocalypse time).

Matrix is the best chat system I've found. Looking forward to it getting stronger.