On Sat, Jan 23, 2016 at 10:43 PM, Greg Stark <stark@mit.edu> wrote:
On Sat, Jan 23, 2016 at 8:41 PM, Magnus Hagander <magnus@hagander.net> wrote: > It does not protect against people signing up for multiple accounts. Unless > you were actually planning to send out hardware 2FA tokens to each actual > contributor, but I'm pretty sure you didn't mean that?
We could put a captcha which would at least prevent spammers from scripting attacks. I'm not sure what type of spamming we've had. I expect we would still see one-off spam by humans though.
We have a captcha for account singups already. That increased the signup time by 30-45 seconds on average.
We also have a 7 day grace period, so new accounts could not use the wiki for 7 days. It took *exactly* 7 days before the spam started again.
To me it's pretty clear that it did not come from scripts. Another hint of that it that a couple of those "scripts" emailed us asking for us to let them bypass the 7 day grace period.