Personally don't think your software is working. Even when you stop them from posting they still log on. I have actually seen where you block two of them , they log on and for some reason there is also one hidden member signed in and states there is 4 members online when there is just two names showing. Personally I would turn off the civilian option because they have spammed thru that and really a person should make an account if they are serious. Next I would make it that even once they make an account that they can't post until it is cleared by you. Maybe have some join up questions that a new member has to answer. If anything this will slow them down and make it so not worth their time to keep coming back and spamming. Your forum setup is too loose on these parameters and why they keep coming back and spamming wasting peoples time having to fix it. Your whole platform is running on a non secure setup as well being http and not https. Wouldn't be surprised if they are trying to do other things in the background and thus why it shows more members being online than named.
Don't know if their software will allow that. But be interesting if that could be implemented where they have to make so many approved posts and than freedom to post whatever after the first rank. If anything though when it comes to these type of spammers the more difficult you make it for them to sign up and post by ie having an admin give acceptance or not would help. Facebook groups we do same thing where we have a question we ask and we review them before we allow them on the page. I know for a fact being I am A+, Network+, lvl 4 CCNA and 3 years of college as a computer systems tech/network admin that more could be implemented on this site to slow them down. At least the store is https but only when logged in since I checked their source code. Initial contact though even on their main store page shows as non secure and people will shy from those types of sites. They should be https across the board for everything.