On 09/11/14 17:19, Marc A. Pelletier wrote:
On 11/09/2014 10:20 AM, Brian Wolff wrote:
Does anyone have any attack scenario that is remotely plausible which requiring a verified email would prevent?
Spambots (of which there are multitude, and that hammer any mediawiki site constantly) have gotten pretty good at bypassing captchas but have yet to respond properly to email loops (and that's a more complicated obstacle than first appears; throwaway accounts are cheap but any process that requires a delay - however small - means that spambot must now maintain state and interact rather than fire-and-forget).
We have so far talked about spambots, but what about *vandals*?
We have a whole class of users interested in damaging/manipulating our projects. Some of them just want to create problems, while others have an agenda (eg. SEO). A number of them know how to program (even though they would probably not create a neural network to OCR our captcha!)
Removing the captcha also lowers the bar for an account creator bot, becoming very easy.
Given that a hundred of dormant wikipedia accounts are valuable, will $wgAccountCreationThrottle be enough to deter them? Is changing the IP every 6 accounts hard enough?
(Actually, you would also need not to raise sysop suspicions from the names you generate, but given the weird names people is already using...)