How can I combine the followings to fight spam and at the same time minimize annoyance imposed to the user?
Feel free to add new items to the list, and please tell your suggested scheme in boolean expression, eg: (1 and 3) or 2
Try using javascript to submit forms with a time limited variable in a hidden field. This will mean that bots won't currently be able to sumbit anything.
You can also use Bayesian filtering to remove, or otherwise deal with, the spam posts that do get through.
The best advice with CAPTCHAs is to either roll your own, or just fake it.
Here's a good article on CAPTCHAs:
http://www.codinghorror.com/blog/archives/001067.html
Now scroll down to the bottom. It asks you to enter a word. No fancy generation or obfuscation. That CAPTCHA works because coding horror is so small potatoes compared to the big guys. Your site is likely to be small potatoes too.
If you're working with software that already includes a CAPTCHA, then you can change how that CAPTCHA works. For example, the phpbb3 discussion forum has a CAPTCHA for registering. So you can change the text on the page to something like "Ignore the picture. Please enter the color of the sky in the box", and then replace the verification code to just check for "blue". This has the added benefit that any bot that happens along will try to solve the CAPTCHA and fail the authentication.
Responding to your request for new items to the list...
One proposed way to fight spam is to charge 'virtual postage' on email. Something in the neighborhood of a fraction of a cent per email. This would be a very minor inconvenience to a normal user, but to a bulk spammer sending millions of emails, the costs would become prohibitive.
A variation of this theme is that each email has a link that if clicked indicates whether it is spam or not. If clicked, the sender is charged the postage. If not, the email is free.
The problem with both of these approaches is that it is a boil the ocean problem. You need to have a network of email servers that enforce the postage and make it desirable to be on the system. If you are the sole server charging postage, everyone else will find another provider.
Use IP blacklists. Block spammer-owned networks, known bots with static IPs, etc. They're not enough for complete protection (you can't effectively fight Windows zombies with dynamic IPs), but significantly reduce volume of spam.
As for the rest, let through posts that look completely innocent, e.g.
and require CAPTCHA in all other cases.
If you want to put more effort into this, you should implement bayesian filtering for text and tracking reputation of liked domains.
I've implemented a quite comprehensive filter – Sblam! that implements all sorts of anti-spam techniques and interfaces several external blacklists. It's open-source, so have a look and copy the code!
I use Commentor, but it only works with BlogEngine.net, although its source is available, you could get some ideas to implement from it
Comment spam is often done with botnets, so anything relying on IP blacklisting is just going to end up blocking legitimate users.
Focus on analyzing the message content with Akismet or using a proven accessible CAPTCHA solution like reCAPTCHA.
Libraries and plugins are available for most languages and applications.
Most of these are done by search engine optimization people trying to get more links back to their client's site. This gets them a higher ranking in Google. Client gets a higher ranking and thinks the SEO is doing a great job.
So I capture the image of the fake post and circle the link shown in the status bar. I then find the clients email address either thru their site or thru GoDaddy.com. I then email them the image, tell them how it works and ask them to tell their SEO to knock it off. The clients are shocked to learn that their SEO has turned them into spammers. Some have even called me to learn more and most (that respond) say they will follow up with the SEO. After emailing one client I actually got this email from the spammer:
Hello Jim
We are marketing for for Scott. I think my competitor have spammed your site with my client list. I will check back with you.
Please dont get to any of other webowners i will check this right away.
Regards
I found his web site where he has "We gurantee first page placement on Google". Of course, his comments were disabled.....
No, this hasn't made it stop - but it makes me feel better.