For some time, the CAPTCHA has been considered the definitive way to keep bots and spammers off your site. But, like any ecosystem, both sides need to continually evolve. And simply making the CAPTCHA harder and harder to read isn't the answer (I'm looking at you, reCAPTCHA, with your dang near impossible to read letters I'm supposed to interpret.) Recently, I've implemented two alternatives / additions to a CAPTCHA that are relatively easy to program, and as a bonus are invisible to end users.
Excluding Bots: Honey Pot Form SPAM Trap
The Honey Pot form trap is so terrifically simple and clever that it definitely falls into the Why didn't I think of that? category. Here's how it works: you create your form as normal, but make sure to include one extra text input field. Using CSS, you can mark that form field as invisible to users. You then update your form handling code to refuse to accept submissions that have that extra form field filled in. Users won't fill in the field (how can they, it's invisible?); bots on the other hand are typically too crude to interpret CSS, so they will go ahead and submit something for the form field. And Bam! you've just excluded bots without the user ever knowing it.
But I think the Honey Pot approach is even more elegant.
Excluding Spammers: CleanTalk and StopForumSpam
While excluding bots is a good thing, many of my customers have reported spammers getting past the CAPTCHAs on their site. That implies to me that these spammers in particular have hired real people to fill in forms, rather than depend on bots to do their dirty work. In that case, a CAPTCHA or Honey Pot isn't going to make a difference. But what can make a difference are sites like CleanTalk and StopForumSpam. These sites both work on the same principle: these human form filler-outers are lazy. They often use the same username, email and source IP address for multiple sites they SPAM.
Given this, both CleanTalk and StopForumSpam host a blacklist that you can query to see if a person signing up on your site has been flagged as a known spammer.
While not quite as trivial as the Honey Pot to implement, it's really not that tricky. One curl request is all it takes to see if a given username, email or IP is potentially bad news.
While it's a never ending battle to tame SPAM, these two approaches definitely help fight the good fight. And they do so with relatively minimal effort.