Our wiki has been spam-free for over a year now, despite anonymous editing being allowed, while keeping the inconvenience for legitimate editors to a bare minimum. Here is what we're doing:
First, we use ConfirmEdit with QuestyCaptcha, but only for "createaccount" and "badlogin". We ask community-specific questions, and the answer is not a word in the question; seems to work perfectly, we didnt have a bot-account for over a year now (also, we dont allow numbers in account-names, which probably helps too). If we would require editors to be logged-in, we probably wouldnt need any other spam-protection. Since we do want to allow anonymous editing, we also use the Abuse-Filter-Extension with Filters that only trigger for users that are not autoconfirmed (autoconfirmed-status is given in our wiki once the first edit was successful). One of the filters (probably the most important) requires users to do something specific if they want to create a new page (most spammers try to create new pages); if they dont, their edit is blocked. This specific action could be anything, from adding a certain word to using specific wiki-markup or using a certain edit-summary. Ideally, every wiki using this concept should require a different action, just like QuestyCaptcha-Questions will differ for every wiki. That way, spammers cant adjust their bots to it. And what about spammers that edit existing pages? Luckily, they almost always add links, and they almost always delete existing text, so one can construct filters to stop that.
In summary: Interested editors have to answer a simple question if they want to create a new account. After that, they can do whatever they want, without being watched by the filter. Anonymous editors have to do something specific if they want to create a new page or add new links - or they could just create a new account. And spammers are blocked completely.
So, in my opinion, the following should be done to help new wikis combat spam:
1. Bundle ConfirmEdit and AbuseFilter with each MediaWiki-Download. 2. Make QuestyCaptcha the default for ConfirmEdit. It is easy to use and more effective than recaptcha, cause it cant be solved by paid workers from the other side of the planet while allowing interested, legitimate editors to pass (if your questions are good enough). 3. AbuseFilter should have a pre-installed filter (or at least a link to a help page with examples). 4. The section about AbuseFilter on Manual:Combating_spam should contain examples or a link to a page with examples.
examples:
!("autoconfirmed" in user_groups) & (action == "edit") & (article_articleid == 0) & !("your phrase or wiki markup" in new_wikitext)
alternativly:
!("autoconfirmed" in user_groups) & (action == "edit") & (article_articleid == 0) & !("your phrase" in summary)
another alternative:
!("autoconfirmed" in user_groups) & (action == "edit") & ((article_articleid == 0)|(length(added_links) >= 1)) & !("your phrase" in summary)
Obviously, the message telling the editor that his edit was blocked should mention what he has to do if he wants his edit to be saved, so the notes of the pre-installed filter should contain a link to MediaWiki:abusefilter-disallowed.
The really important thing here is that spammers cant adjust to these measures if every wiki asks different question and demands different actions for edits from anonymous users.
Also, we have been using the already mentioned bot-trap from danielwebb.us/software/bot-trap for some time now. Since legitimate users can unblock themselves, it really doesnt hurt to use it.
Greetings Stip