We've implemented a couple of existing tools into Flow, which should help to fight spam/vandalism.
If either of the below tools results in a match against the submitted content, it will be rejected and an error message will be displayed to inform the user why the content was rejected.
Flow will run just fine without these additional extensions installed, they're no hard requirement. However, we strongly encourage to use them.
There's a great manual on Manual:$wgSpamRegex already. This is part of MediaWiki configuration, and can't be extended by editors.
Extension:SpamBlacklist is an extension to reject edits with links to certain external websites. The regular expressions to find malicious websites can be edited by editors at MediaWiki:Spam-blacklist
Extension:AbuseFilter is another extension that makes it possible to reject content based on regular expressions. It's possible to filter content based on much more than external links (e.g. reject all ALL CAPS posts)
Filters can be added via Special:AbuseFilter/new. "Prevent the user from performing the action in question" should be checked to prevent offending content from being submitted. Other actions (e.g. "tag") have not yet been implemented at time of writing. Make sure to set "filter group" to "flow" ("default" is the group for regular page edits).
new in 1.24wmf9 If Extension:ConfirmEdit is installed, Flow will validate new post content against its checks. If the CAPTCHA is triggered, e.g. anonymous user adding external links, then Flow displays an error. (Displaying the actual CAPTCHA interaction is in progress...)