Finally figured it out but I sure hope the script will be changed to include this in the future.

For a few days I noticed a high amount of payouts on my faucet from a specific ref address. Currently there are 700+ addresses related to this ref address. Each address has an auto payout of 0.5 bitcoin (via address checker). Obviously, I did ban the ref address but this only rejects ref payouts to that address. I did some private modding on the script so all sessions that include that ref address are no longer paying out. That is all that are processed with the /?r=ADDRESS url or even the addresses for which the ref address was registered.

I'm pretty new to the whole faucet concept and the FIB script. Not sure if the developer is reading this, if so, please include the above checks (optionally or not) in your next script version. If you know that a ref address is used by a scammer/bot then most likely addresses that are using the ref address are also from a scammer/bot.

Hope it all makes sense. If not then feel free to ask of course.