spam attacks

It should be easy enough to add a very simple captcha.

I'm thinking it should go like this.

Current process:
1. CL displays edit form.
2. User types message and presses Send.
3. CL sends message to Teffania.

New process:
1. CL displays edit form.
2. User types message and presses Send.
3. CL checks to see if message contains "<a href" or "http". If not, jump to step 7.
4. CL redisplays edit form, but with a simple captcha such as "what is 2+4?" or "when Alfar and Elspeth were on the throne, who was the king?". Should explain clearly that this is a simple test to make sure that the user is a human being and not a spambot.
5. Provided the result of the test is correct (answers: "6" and "some bloke with a big stick"), jump to step 7.
6. To reduce the efficiency of human spammers, implement some kind of delay. Take a very long time to redirect back to step 4.
7. CL sends message to Teffania.

We could easily produce a couple of dozen questions with obvious answers, and stick them in a config file. Every now and then someone could go in and add to them, just for fun. No need for much more brainpower beyond "if (strtolower(trim($response)) == $correct_answer) { ... }".

Bat had an elegant solution which I think would be less unwieldy than most of the capcha thing's I've seen:

Bat: Current process: user types in message, hits send, CL sends the message to you.
New version: user types in message, hits send, CL checks to see if it has any URLs in it. If it doesn't, CL sends the message to you. Otherwise, CL forces the user to do some kind of humanity check, eg "What is 2+3?" or "Who was the king when Alfar and Elspeth were on the throne?".
Teffania: With a polite message saying soemthing like "because of the large ammount of spam sent to this adress, we wish to check you are actually a human."

Note: I think all the spam I've gotten has contained a url. Url's are very rare in legitimate fix me's but could occur.
So this should be mostly not be seen by users.

Bat: Can do the same for recommendations, tho they already have a silent fail if the user puts http or <a href into a message.
Teffania: yes, nice to not have recomendations silently fail because someone might want to link to the blog with pretty dresses the person made, etc.

Note this is a low priority bug - it's not a big issue at the moment, but is likely to continue getting worse.

We haven't had an issue with humman spammers yet as far as I can tell.

Oops added it in the wrong system. Can't remove Gratian.

Least effort process (for programmer), assuming non-human spammers:

1. Always display captcha. Only one question. Keep it very simple, plain text (no accessibility issues).
2. If capture wrong, say "press the back button and enter the correct answer, which is ..., and try again".

Really, people are stupid, or just have bad days, or hate computers (some all 3). And they will all be using canonlore. Just had an example today of someone who couldn't manage to email me using the canon adress that's plastered everywhere.

I'd prefer the version that just filters out urls, because anyone smart enough to paste in a url can probably understand very simple instructions, but I really don't think everyone else will.

All spamers have been non-human looking, and containing urls so far.