One other thing I forgot
to mention about Honeypot - besides implementing reverse-CAPTCHA,
it also looks at how long it took from when your server sent the
HTML with the <form> and when the response arrived. A lot
of the malware out there is too dumb to delay a few seconds, so
the malware sends its response faster than a human possibly could.
What's worrisome is that these solutions are only temporary
measures. I can easily think of ways around both of these tests if
I were writing code for the bad guys. So I expect that their
programmers will implement such workarounds in the near future.
And at that point we'll have no effective protection.
This is not just a Drupal problem - it
affects every website regardless of what technology it's built
with. So, please put the word out to any developers you
know - we need to be dreaming up innovative ways of distinguishing
between software-generated responses and human-generated responses
right now so we'll be ready when the current approaches all start
failing.
I'll try honeypot!
I've been making do with the attached script and adding things to .htaccess;
it was surprisingly effective (though lately I'm seeing spam from within my
own city).