Unfortunately, the best anti-spam measures are the ones that work, but also that no one else is doing. Spammers aren't going to bother reverse engineering spam mitigation systems to get at 1 or 2 sites... but to get at thousands? Sure...
It's a little annoying that way because we have some pretty neat anti-spam stuff, but once we share it then it starts becoming less useful for us. Boo spammers!
Agree, the developers for applications such as XRumer target larger volumes, but closer to 10's of thousands - millions rather than thousands
So if you do share it, and it's a mechanism that can be targeted, just make sure it doesn't reach a high volume (make it paid
)
This is true for "soft" mechanism, I keep saying this over an over.
Many plugins work well due to the low popularity of the mechanism, as soon as that mechanism reaches a significant number, it becomes a worth while target, so if soft mechanisms are put into the core of an application with volume, they will be targeted. We have seen this for simple tick boxes (are you a bot), logical question (1+1), all text-QAs (solved with textcaptcha.txt), ReCapatha (solved with training ANNs) ... and we will soon see this for the registration timer (solved with script pausing)
Once a mechanism reaches a threshold (this commonly occurs when put into the core, but can happen with popular mechanism), the mechanism will soon be rendered useless
There are some mechanism that are hard to target due to the challenge for AI. Simple sliders / games / honeypots / timers / image recogintion of known public libraries / custom text questions ... are no challenge for AI, so as soon as any of these reach a significant volume, they will be rendered ineffective. The trick is to know what the limitation of AI currently is, and where most automated programs find difficulty
However, there do exist some "harder" anti spam mechanism (things that can't easily be targeted). An example of a hard antispam mechanism is an API. APIs are not so easy to target, so are ideal for putting into the core of an application (there are ways to target APIs, of which I wont mention). So, APIs in the core is a good idea
But APIs will never stop 100% of spam, soft mechanism can...
So multiple uncommon mechanism is useful and these can stop 100% of spam (so I applaud multiple non core mechanisms, or even custom mechanisms)
... It's even better if you can find a non common mechanism which is very hard to target (this is why something as simple as CustomImgCaptcha will out last many other CAPTCHAs, the idea is customised by the forum admin, and there is no set available to train an ANN against)