Martin:
> Unfortunately, reCAPTCHA might be a victim of its own success - as
> of 2011, some spammers appear to have figured out a way to bypass it,
> either through character recognition or by using humans. For that
> reason, it is not necessarily recommended.
If they have humans working for them no turing test will suffice.
(or, perhaps the advanced math one..)
this is why I think it is good to keep the captcha for urls. They could
have humans create the accounts and then spambots polute 100 pages once
the account is created. i.e. make it as expensive for them as we can.
Ben:
I can confirm this. On another site that I manage, based on
phpBB, I get unbelievable amounts of spambot requests to
open accounts. Apparently, simple graphical captchas no
longer hold them back. I think math captchas are a good idea.
Plus, it's free brain exercise 
> Part of the weakness of the ReCaptcha module is that ConfirmEdit
> doesn't include any penalty mechanism, so spam bots can simply keep
> trying to bypass the CAPTCHA until they get through. This is an issue
> that is strongly worth addressing in some way.
I guess reCaptcha doesn't mind the spammers working for them, free labor!
ok, that's probably being way too cynical, this is ConfirmEdit's bug
not reCaptcha's.
> [1] http://www.mediawiki.org/wiki/Confirmedit
hmmm, can't hurt to put a "sleep(3)" on a fail, line 119?
http://svn.wikimedia.org/viewvc/mediawiki/trunk/extensions/ConfirmEdit/ReCaptcha.php?revision=104064&view=markup
and increment a counter, which if you fail ~10 times then replace the
call to $editPage->showEditForm( array( &$this, 'editCallback' ) );
with a message saying that "we could not verify that you were human and
your edit was unable to be submitted: make a copy of your work and try
again later"?
or perhaps mix it up a bit: if the reCaptcha fails 3 times switch to
the math captcha, if that fails 3 times failover to simpleCaptcha,
if that fails three times have mediawiki ban the IP address for 24 hours.
sort of a cascading fail2ban.
shrug,
Hamish
