Well that was a fun experiment for an hour. Turns out
captchas do actually
stop a non-zero amount of spam on non-test wikis.
logs tell the story pretty clearly.
This has been rolled back.
I spent a bit of time poking around. The spam seems to primarily be
related to page creation. A slightly smarter heuristic (such as requiring
that your edit count be > 0 before you can create a page) might mitigate
this. Disallowing edits that contain "<a href" might also help.
The more I think about this, the more I wonder whether we should change
the CAPTCHA model so that instead of applying CAPTCHAs in a blanket manner
to types of actions (page creation, account creation, etc.), we could
instead only force users to solve a CAPTCHA when certain abuse filters are
triggered. Adding this functionality to the AbuseFilter extension is
tracked at <https://phabricator.wikimedia.org/T20110>.
By shifting from the current rigid PHP configuration model to a looser and
more flexible AbuseFilter model, we could hopefully ensure that
anti-abuse measures (warning about an action, disallowing an action, or
requiring a CAPTCHA before allowing an action) are more narrowly tailored
to address specific problematic behavior. Even triggering AbuseFilter
warnings that simply add an extra click/form submission for specific
patterns of problematic behavior might trip up many of these spambots.
Robert, let me know if you want access on mediawiki.org
to look at the
deleted edits, though they're quite boring.