After playing around with the different versions of Magento 2, I found 2.2.5 to be the most stable for the QQ.COM email spam attacker.
In version 2.2.5 The spammer only shows up as a online visitor and does not create a new customer account automatically.
In versions 2.2.6, 2.2.7, and 2.3.0 the email spammer automatically creates a customer account, bypassing the account login setup, creating the hundreds of customers per hour in the data base. I have tried using IP blockers, but the spam still gets through.
In version 2.2.5 the data base visitor log shows over 750 visitors in about a 2-day period, but nothing shows visibly on the admin side, except who is on line at that time. With the online visitor it does not show any information on the ID, First Name, Last Name or Email columns, only shows Last Activity and Type. Usually 5 – 10 online at a time when I look.
I think the next version of 2.3.X should have the same method of showing all incoming mail as a visitor and not as a customer that automatically creates the hundreds of customers per hour.
Have an admin option to manually or automatically purge the visitor database at any time, otherwise the data base would continue to grow unchecked. (Could be purged every hour, once a day, once a week, once a month type options)