On 11/09/2014 10:20 AM, Brian Wolff wrote:
Does anyone have any attack scenario that is remotely plausible which requiring a verified email would prevent?
Spambots (of which there are multitude, and that hammer any mediawiki site constantly) have gotten pretty good at bypassing captchas but have yet to respond properly to email loops (and that's a more complicated obstacle than first appears; throwaway accounts are cheap but any process that requires a delay - however small - means that spambot must now maintain state and interact rather than fire-and-forget).
I can tell you that on the (non-WMF) mediawiki installations I administer, requiring email confirmation before being able to edit reduced spambot editing by well over 95% without the number of spambots being significantly afftected (it's still quite visible by the bot /creating/ accounts).
But there is also a great heap of anecdotal data that shows that having to provide an email account increases the barrier of entry to users signing up. So, there's a tradeoff.
-- Marc