This makes interesting reading:
1) Disable new signups or if you think that is too extreme, install SecurePages
2) Install SimpleAntiSpam
3) Install SpamBlacklist and TitleBlacklist
4) Allow anonymous edits
5) Always block the IP addresses that spam is posted from
6) Install User Merge and Delete and use that to clear out the
existing spammer accounts.
#1 is the most important step. It's easy for spammers to create
A CAPTCHA makes only a small difference, not worth the extra bandwidth
cost for the images. The hundreds of throwaway accounts are almost as
big a problem as the spam postings.
#2 reduces the volume of spam by at least 1/3.
The only robots that get past SimpleAntiSpam are those specially
designed for MediaWiki, not the ones that fill in all textareas in
every web page everywhere.
Similarly if your site has SSL, SecurePages (or its predecessor
HttpsLogin) thwarts some bots that don't have SSL support.
#3 will stop you getting the same spam posting (or variants of it)
repeatedly. If you update the blacklist regularly that should reduce
the volume of spam by another 10-20%.
And remember the spammers will run out of paying customers (you
eliminate one for every domain you block links to) long before they
run out of public proxies/zombies to post from.
#4 does not increase the volume of spam as much as you might expect.
There's a popular MediaWiki-spamming bot that never attempts to post
anonymously - it gives up when it cannot find the "create account"
And if you don't do this, you don't have a wiki anymore (you just have
a static website using MediaWiki as a CMS.)
There is a small bonus - it makes it easier to find (and block) the
spammers' IP addresses. Of course you can get the IP addresses using
CheckUser or by reading the database directly, but it's much easier
when the IP address is in plain sight.
#5 is the least effective measure, but it's still worth doing.
Spammers do re-use IP addresses. They may be cheap but they are not
infinite, and sometimes you will catch one of those runaway robots
that posts a spam page every 5 minutes.
#6 doesn't prevent spam, but it allows you to clean up your user list
page once you have other anti-spam measures in place.
Should the extensions mentioned be incorporated into the main MW
package rather than being added later?