Re your post #4, yes - a security question would help. You could also increase the 'noise' in your captcha image to make it harder for the bots to OCR it.
Having said that, the extreme nature of the attack you are experiencing is not usual. It seems to be targeted. It may be worth asking your hosting provider if any other subscribers to their services are reporting similar events.