$wgCaptchaTriggers['addurl'] defaults to true, so that if a user (new? not-confirmed?) adds an external link to a wiki page, he or she is prompted with a CAPTCHA:
Your edit includes new external links. To protect the wiki against automated edit spam, we kindly ask you to answer the question that appears below (more info):
But this doesn't happen for Flow posts or header edits, and it probably should. This may be a contributing factor to our recent spam attack.