Thread:Extension talk:ConfirmEdit/SimpleCaptcha now useless/reply (5)

It's quite possible that having something that isn't already on every other wiki, blog and forum is an advantage regardless of the robustness of the underlying CAPTCHA. That's the only explanation I can see for actually having worse results with ReCAPTCHA (some spam still gets past, plus I get user complaints from wikis in languages for which ReCAPTCHA has no books natively) than the much weaker VisualMathCaptcha (which almost no one uses, so it hasn't been targeted by spammers).

Certainly there is a need for an expiry time on any challenge issued (to make it more difficult for a spammer to take a CAPTCHA from your site, re-use it on one of their own sites and trick that site's users into solving it) and a need to block IP's after a maximum number of failed attempts (as anything with a finite number of possible correct responses otherwise invites brute-force attacks with random answers).

As for using AbuseFilter to count failed attempts? Oddly, it looks like it only keeps count of the number of times its own rules have detected something questionable - which can be used to block or demote on repeated failures - but it does not even hook into LoginAuthenticateAudit to detect that an IP is repeatedly attempting to log in with the wrong password. It also has no means to detect a user or IP is doing something to repeatedly trigger other extensions, such as ConfirmEdit or SpamBlacklist, or is repeatedly submitting payload URL's blacklisted by one or another RBL (which SpamBlacklist could be modified to detect, per its docs).

There is no AbuseFilter rule to say an IP repeatedly tripping LoginAuthenticateAudit or an extension's hooks (EditFilter, EditFilterMerged, APIEditBeforeSave, AbortMove, ArticleDelete, AbortLogin, AbortNewAccount, UploadVerification) should receive any extra penalty at all. All but one of the extensions which monitor LoginAuthenticateAudit notifications are CAPTCHAs which are programmed to appear on login if a previous login attempt failed. The Fail2banlog extension is the only here to say "too many failed attempts, goodbye" to *anything* and that only catches failed logins, not brute-force attempts to get past CAPTCHA or submit blacklisted URL's as payload. AbuseFilter does nothing about repeated violation of anything but its own rules.

To extend LoginAuthenticateAudit to report to an extension that an attempt to edit, move, upload or register an account had been repeatedly rejected by another extension would be a change to core MediaWiki code. Even then, a corresponding change to AbuseFilter would be required to get that extension to count failed attempts and ban the offending IP address or demote a user.

Failing that, CAPTCHA extensions like ConfirmEdit are going to have to use memcached or whatever storage mechanism is available to keep track of repeated authentication failures internally and impose per-IP address limits at some point. The absence of this functionality in any form is a bug which will reduce the effectiveness of CAPTCHA as a spam filter.