You understand that if the bot is aimed specifically at your site, no protection will help here.
If the general case, you can come up with some kind of algorithm in js, the browser executes it and sends the result, there is a similar algorithm on the server side, and we just check it.
But we need to take into account that we are losing users with off. js

Try the following:
- For all fields, generate random names for each form request.
That is, instead of:
<input name="firstName ... >
<input name="email" ... >
you will have:
<input name="r245" ... >
<input name="x287" ... >
- The order of the fields should also change
- Generate random order and names for the Register and Cancel buttons
Some bots can parse the text surrounding the input field in order to understand what needs to be entered there, so instead of writing Email in front of the field, it is better to place an image with the appropriate text.
After the registration form, you can add an additional step with the simplest question requiring the choice of one value out of two. For example: The moon has the shape: "Circle", "Square"

Make life easier for yourself and your users: use authentication through social networks. In solutions like ULogin or Loginza , dozens of ways to identify a user have already been collected. At least one will do :-)
The problem of fighting spam automatically falls on the shoulders of a third-party service, and users do not have to remember a new password.
And they are great friends with Dzhanga .

Just like not in Django.
The most effective is to make a checkbox with some thread of the left name, bots, as a rule, do not fill it.
On another project, I have a textfield where I need to type "No". Bots ignore him too.

I asked this question before - What are the methods of protection against spam registrations? . Now they are working on defense. Maybe the info above will help.

I also remembered.
Very often spammers use "multiplied" soaps.
Here is a recipe for Drupal sites www.drupal.ru/node/58703 , for the rest, something like this should also be

You can add any field and hide it. If a value was entered into it, then it is a bot.
In theory, it's better not to use "display: none" or "visibility: hidden". I think bots can determine this. And, for example, overlap with a div.

At one time, I solved a similar problem like this: I analyzed the behavior before the protected event (although it was a vote in the competition, not registration).
The rules are something like this:
- a person came from the list of participants page
- read the text on the voting page for at least a second
- voted
- cross-clicked and loaded with all the statics (you can slip some kind of dynamic picture given by janga) the page for viewing the results, etc.
Usually bots stupidly hammer into the form page, ignoring everything else. They do get smarter with time though.
After the client is defined as suspicious, it is not at all necessary to tightly close the registration, you can, for example, add a captcha, this will save you from false positives, despite the fact that most will register anyway. It will also be useful to monitor the number of clients identified as good and suspicious. This will help debug the mechanism.