I've been tinkering with an extension to provide for a captcha to reduce automated linkspamming while still staying out of the way for common use. My preliminary code is running now on test.leuksman.com; the actual "captcha" part is a really primitive plain text hack which would take all of a few minutes for a dedicated attacker to crack, but don't worry about that -- I'm not testing the protection yet, just the framework it plugs into. By default the captcha prompt will only kick in if an edit adds new URLs to the text. Most regular editing shouldn't trip this -- wiki links, plain text, or just preserving existing links. But if you add new HTTP links that weren't there before, it'll then make you pass the captcha before it saves. The captcha step can also be bypassed based on user group (eg registered bots, sysop accounts, optionally all registered users), and can also be set to skip for any user who has gone through confirmation of their account e-mail address. I haven't coded it yet, but it should also be possible to add a URL whitelist, for instance for the site's own local URLs. As for a 'real' captcha generator to put into this system; I'm not too sure what code is already out there that's not awful. There's a Drupal plugin which would be easy to rip GPL'd PHP code from, but it doesn't seem very robust. There's a set of samples of various captcha output and their weaknesses here: http://sam.zoy.org/pwntcha/ Obviously it would be good to either find something on the 'hard captchas' list rather than 'defeated captchas', or roll our own that doesn't suck too bad. There's also the question of whether we can feasibly provide an audio alternative or whathaveyou. -- brion vibber (brion @ pobox.com)