Hi,
I would set require email confirmation to true in Site Settings > Security, then it can't sign in unless it uses real email addresses and can respond to the email link.
Also whenever I see evidence of any kind of spam script in my logs I ban the ip address using Admin > Advanced Tools > Banned IP Addresses.
Curious how can you be sure its the same script or bot if its not the same ip address?
Best,
Joe