There are some alternatives, i.e. where Captchas are only displayed when JavaScript is disabled. But all these methods don't work, at least someone just can analyze the traffic and do all the JavaScript-Stuff in a single HTTP/TLS Request, because it's not truly server-side.
I know it's embarrassing to use Captchas, but at least for the registration it should be used.
Or you could use OpenID or some social network oauth system to avoid Captchas.
I've been running all the comments and posts on one of my sites through Akismet (http://akismet.com/) instead of requiring captchas. It works great at filtering out spam but couldn't replace captchas in every situation. For example, I don't think it'd be very effective against fake account signups.
it seems to be relatively simple to brute-force, because the used set is small compared to possible keyboard letters. but for most real world scenarios it should work, if there are only spammers who don't investigate and just ignore it. thus maybe not for high-traffic sites.
The biggest problem is people take the capta image and put it on an other website (free porn or what have you). That way you always have humans solving your captch but you can still spam.
That seems to be very weak compared to traditional captchas.
* It is no more than a weekend project to extract the Xs from the image and write a solver.
* Even without a image processing, the number of possible answers is 7. A 14% success rate is plenty for an automated spambot.
The only benefit is obscurity: a solver would have to be custom-built for this captcha and website. But a text field with instructions "type the word 'blue' here" would work just as well for keeping out non-customised spambots.
