I have 13,000 members. I can't do a knee-jerk reaction like that... half of my members probably don't even remember the e-mail address that they used to sign up with!
Apologies, my post sounded rather direct and I didn't mean it too.
I'm concerned that some of the solutions proposed so far are only partial and continue to present a risk to the security of members personal data. In particular, they don't address the vulnerability in forum software that half the log-in security is public domain and can be easily harvested, leaving only the password to be cracked.
When this hit my forum I had similar reactions to many who have posted - I posted over 100 IP addresses for others to block but still they came and now we are talking thousands. So I set about this logically and realised that there are two main threats here:
1) User experience - getting logged out
2) A potential security threat to members if the bots are successful and can access an account
The SMF upgrade/patch fixes the logout issue but not the security vulnerability if indeed that is what is being targeted by the bots. Personally, I don't want to ignore this aspect as it could have serious implications for my members even if the chances of success do seem remote.
Arantors mod is the first to try and hide the log-in userID from guests throughout the forum and is the right approach as long as the spam bot hasn't already harvested any usernames. I think there is some evidence that it is not harvesting on the fly.
Another alternative would be to insist all members change their displaynames to something different to their userID but for a X,000 existing member forum that would be nigh on impossible to manage. Doing this for all members via MySQL is a possibility and I considered doing this but again it doesn't fix the issue if the bot has already harvested some forum userIDs.
The email login is in my view a more secure approach as even a non-guest can't easily access this info. Indeed sites like facebook, paypal, amazon etc all use email log-in and don't display email addresses to the world. It is not ideal for large forums and I did worry about members not remembering what they registered with but in practice this is a minor issue to overcome compared to the alternatives.
I'd also recommend stopspammer or httpBL mods (or both) as a failsafe to deny access to your site from suspect IP addresses. They are both good mods but they haven't proven completely successful in stopping attempts althoghn they reduce the risk considerably. In my experience they can also block genuine users so need to be managed sensitively.