I've been tinkering with an extension to provide for a captcha to reduce
automated linkspamming while still staying out of the way for common use.
My preliminary code is running now on
test.leuksman.com; the actual
"captcha" part is a really primitive plain text hack which would take
all of a few minutes for a dedicated attacker to crack, but don't worry
about that -- I'm not testing the protection yet, just the framework it
plugs into.
By default the captcha prompt will only kick in if an edit adds new URLs
to the text. Most regular editing shouldn't trip this -- wiki links,
plain text, or just preserving existing links. But if you add new HTTP
links that weren't there before, it'll then make you pass the captcha
before it saves.
The captcha step can also be bypassed based on user group (eg registered
bots, sysop accounts, optionally all registered users), and can also be
set to skip for any user who has gone through confirmation of their
account e-mail address.
I haven't coded it yet, but it should also be possible to add a URL
whitelist, for instance for the site's own local URLs.
As for a 'real' captcha generator to put into this system; I'm not too
sure what code is already out there that's not awful. There's a Drupal
plugin which would be easy to rip GPL'd PHP code from, but it doesn't
seem very robust.
There's a set of samples of various captcha output and their weaknesses
here:
http://sam.zoy.org/pwntcha/
Obviously it would be good to either find something on the 'hard
captchas' list rather than 'defeated captchas', or roll our own that
doesn't suck too bad.
There's also the question of whether we can feasibly provide an audio
alternative or whathaveyou.
-- brion vibber (brion @
pobox.com)