Just a note for the time being...
One thing self-hosted folks can do is to block the IP range of the spammer(s) using 109.107.166.230, but that needs to be done in the server firewall.
This would be the range to block for that service provider, in CIDR format:
109.107.160.0/19
which blocks 109.107.160.0 through 109.107.191.255
And for that spammer in Iraq... that provider has a huge range of IP's, from 37.236.0.0 to 37.239.255.255 so I personally blocked a fairly small range for them which encompasses the one IP that spammer used:
37.239.8.1/24
(Note: I've added these on my own server already, and it appears I got to it before my sites were hit.)
More blocks can be added as you notice them, but try to keep the ranges small. Blocking a too-large range can cause server issues under the right (wrong?) circumstances.