In case anyone is ever curious or has a similar problem, here is how I solved our issues. I'm not sure if they were bots or just human spammers, but they were creating new accounts, supplying an email address, and then verifying the email link. That means that they were 'emailconfirmed' users, making it hard to limit their privileges without effecting other normal users.
The issue was that these spammers were using "throw away" email addresses to register. MediaWiki does not currently have any standard protection against this. I was able to stop them by adding the following to LocalSettings.php.
$wgHooks['AbortNewAccount'][] = 'noMailinator';
function noMailinator( $user, $message ) {
if( preg_match( '/@(mailinator|binkmail|zippymail|devnullmail|mailinator2|bobmail|safetymail|tradermail|thisisnotmyrealemail|suremail|spamherelots|dispostable)/i', $user->getEmail() )) {
$message = 'One-time-use email services are forbidden on the Dragon Quest Wiki';
return false;
}
return true;
}