On 09/11/14 17:19, Marc A. Pelletier wrote:
On 11/09/2014 10:20 AM, Brian Wolff wrote:
Does anyone have any attack scenario that is
remotely plausible which
requiring a verified email would prevent?
Spambots (of which there are multitude, and that hammer any mediawiki
site constantly) have gotten pretty good at bypassing captchas but have
yet to respond properly to email loops (and that's a more complicated
obstacle than first appears; throwaway accounts are cheap but any
process that requires a delay - however small - means that spambot must
now maintain state and interact rather than fire-and-forget).
We have so far talked about spambots, but what about *vandals*?
We have a whole class of users interested in damaging/manipulating our
projects. Some of them just want to create problems, while others have
an agenda (eg. SEO). A number of them know how to program (even though
they would probably not create a neural network to OCR our captcha!)
Removing the captcha also lowers the bar for an account creator bot,
becoming very easy.
Given that a hundred of dormant wikipedia accounts are valuable, will
$wgAccountCreationThrottle be enough to deter them? Is changing the IP
every 6 accounts hard enough?
(Actually, you would also need not to raise sysop suspicions from the
names you generate, but given the weird names people is already using...)