<two cents>
captcha only reduces human enrollment.
Spam bots don't care and will hit a captcha 1000 times until they get through.
Spammers have beaten every captcha module created, if you create a custom module, you will be protected until a spammer finds you ( your site becomes popular ).
Here's what I do. I use CSS to hide random fields from humans input. Spam bots love to add stuff to input fields. I give them lovely descriptive names like first_name or user_name while the human readable fields will be id'd as something close, like login_username.
You can also through in a couple of javascript tricks to keep the bots on their toes.
I then test for the hidden, random fields created, if they have any input, guess what, it's a bot. I then just send the bot to the home page.
Does this prevent all spam bots, yes. Will it prevent a directed attack? No. But it will seriously slow it down.
Spammers just use a human to create the account and then use that account to spam content.
There is no win in the end. The best thing is not to harrass real people with unreadable captcha's.
</two cents>
