I repeat the methods of protection, choose any that you like:
Let's start with the case when you have a small (less than 100 thousand uniks per day / 1 million registered users) site.
1) Make an invisible field named email. 98% of moronic bots will fill it, then you understand what to do with them and where to enter their IP. In order not to burn, do not write style=display:none, but hide it a little more cunningly.
This method eliminates almost all bots on one site for me. True, there are bots that are not tailored for the site, but simply that go and fill out all the forms in a row with their advertisements. Probably Chrumer type.
2) Filled by Javascript field of type hidden. Lots of bots don't execute javascript. Cookies, by the way, on the contrary, most bots regularly send. The referrer and user agent are also usually correct.
3) A more radical approach is to remove the submit button, replacing it with a div that, on the onclick event, collects the values ​​of the form fields and sends them by Ajax. Change the action attribute of the form tag to point to the hook script. If the bot is not written specifically for your site, it will stupidly not be able to send such a form.
Ok, let's say you're out of luck and your site with millions of users is attacked by spammers with specially written scripts. What can we offer you?
4) Add fields calculated/decoded by Javascript. A sudden change in the encryption algorithm at 2 a.m. is likely to betray those bots that were able to break through it, but did not have time to rewrite the algorithm.
5) Check client support for Flash (upload a flash drive and sign the form with code through it).
6) Check if the User-Agent matches the level of support for HTML5/CSS3 technologies (for example, certain versions of browsers do not support border-radius, others do, etc.)
Statistical analysis methods provide more serious possibilities. For example, you can isolate non-dictionary words from messages (for example, these will be links) and analyze the sources of their sending. For example, if 1000 users start sending 100 messages to non-friends with the same word super-shop in an hour, this is a clear sign of spam. For such systems, it is necessary to collect statistics and write white / black rules, introduce unspoken limits on suspicious actions, in general. serious job.
You can, like VKontakte, link accounts to phones. it works.
Some more discussion on this topic here:habrahabr.ru/qa/16920/#answer_70019
And the use of captcha in forms indicates laziness / low qualification / cut budget or unprofessionalism and causes inconvenience to users.

Captcha should be offered only in extreme cases, when there is a suspicion of a bot. For example, if no verification cookie is passed, javascript is disabled. I don’t think that the captcha at the specified link is more reliable than the classic one, there is rather an element of “viral marketing” here. When compiling a captcha, it is important to look at it from the point of view of a software image analyzer. For example, extra noise in the background is easily removed by algorithms, and only complicates the user's perception. A good option might be reCaptcha.

In fact, the topic is very interesting.
It is worth looking at it from this side: do you have users with Opera Mini and other similar browsers? So, images are often disabled for them, so they will not see the captcha. But it does not matter - the picture can be uploaded.
The main thing is that even if there is a captcha, it can be used. Therefore, I would be wary of exotic options like “collect a picture” / “click on a picture with a cube”.
If your main task is to weed out bots, look at what is typical for them and what is not typical for users. First, people don't comment immediately after the page has loaded. Secondly, if you don’t use a BB code anywhere on your site, but there is one in your messages, these are most likely messages from bots. A bunch of links in a post? Again, this is most likely a spam bot. For "suspicious" users, you can issue a captcha or accept their comments, but leave them for pre-moderation. Lots of options.
By the way, one more hint: bots do not read (however, some people do too). Therefore, captchas like “check this box if you are not a bot” / “do not fill in this field if you are not a bot” can also work.

Not so long ago, the article was http://habrahabr.ru/blogs/webdev/135209/
There are interesting thoughts there.