I combine a few methods that seem quite successful so far:

1. Provide an input field with the name email and hide it with CSS display: none. When the form is submitted check if this field is empty. Bots tend to fill this with a bogus emailaddress.

2. Provide another hidden input field which contains the time the page is loaded. Check if the time between loading and submitting the page is larger the minimum time it takes to fill in the form. I use between 5 and 10 seconds.

3. Then check if the number of GET parameters are as you would expect. If your forms action is POST and the underlying URL of your submission page is index.php?p=guestbook&sub=submit, then you expect 2 GET parameters. Bots try to add GET parameters so this check would fail.

4. And finally, check if the HTTP_USER_AGENT is set, which bots sometimes don't set, and that the HTTP_REFERER is the URL of the page of your form. Bots sometimes just POST to the submission page causing the HTTP_REFERER to be something else.

I got most of my information from http://www.braemoor.co.uk/software/antispam.shtml and http://www.nogbspam.com/.

If you're looking for a .NET solution, the Ajax Control Toolkit has a control named NoBot.

NoBot is a control that attempts to provide CAPTCHA-like bot/spam prevention without requiring any user interaction. NoBot has the benefit of being completely invisible. NoBot is probably most relevant for low-traffic sites where blog/comment spam is a problem and 100% effectiveness is not required.

NoBot employs a few different anti-bot techniques:

• Forcing the client's browser to perform a configurable JavaScript calculation and verifying the result as part of the postback. (Ex: the calculation may be a simple numeric one, or may also involve the DOM for added assurance that a browser is involved)
• Enforcing a configurable delay between when a form is requested and when it can be posted back. (Ex: a human is unlikely to complete a form in less than two seconds)
• Enforcing a configurable limit to the number of acceptable requests per IP address per unit of time. (Ex: a human is unlikely to submit the same form more than five times in one minute)

More discussion and demonstration at this blogpost by Jacques-Louis Chereau on NoBot.

<ajaxToolkit:NoBot
  ID="NoBot2"
  runat="server"
  OnGenerateChallengeAndResponse="CustomChallengeResponse"
  ResponseMinimumDelaySeconds="2"
  CutoffWindowSeconds="60"
  CutoffMaximumInstances="5" />

I would be careful using CSS or Javascript tricks to ensure a user is a genuine real life human, as you could be introducing accessibility issues, cross browser issues, etc. Not to mention spam bots can be fairly sophisticated, so employing cute little CSS display tricks may not even work anyway.

I would look into Akismet.

Also, you can be creative in the way you validate user data. For example, let's say you have a registration form that requires a user email and address. You can be fairly hardcore in how you validate the email address, even going so far as to ensure the domain is actually set up to receive mail, and that there is a mailbox on that domain that matches what was provided. You could also use Google Maps API to try and geolocate an address and ensure it's valid.

To take this even further, you could implement "hard" and "soft" validation errors. If the mail address doesn't match a regex validation string, then that's a hard fail. Not being able to check the DNS records of the domain to ensure it accepts mail, or that the mailbox exists, is a "soft" fail. When you encounter a soft fail, you could then ask for CAPTCHA validation. This would hopefully reduce the amount of times you'd have to push for CAPTCHA verification, because if you're getting enough activity on the site, valid people should be entering valid data at least some of the time!

Since it is extremely hard to avoid it at 100% I recommend to read this IBM article posted 2 years ago titled 'Real Web 2.0: Battling Web spam', where visitor behavior and control workflow are analyzed well and concise

Web spam comes in many forms, including:

• Spam articles and vandalized articles on wikis
• Comment spam on Weblogs
• Spam postings on forums, issue trackers, and other discussion sites
• Referrer spam (when spam sites pretend to refer users to a target site that lists referrers)
• False user entries on social networks

Dealing with Web spam is very difficult, but a Web developer neglects spam prevention at his or her peril. In this article, and in a second part to come later, I present techniques, technologies, and services to combat the many sorts of Web spam.

Also is linked a very interesting "...hashcash technique for minimizing spam on Wikis and such, in addition to e-mail."

How about a human readable question that tells the user to put in the first letter of the value he put in the first name field and the last letter of the last name field or something like this?

Or show some hidden fields which are filled with JavaScript with values like referer and so one. Check for equality of these fields with the ones you have stored in the session before. If the values are empty, the user has no javascript. Then it would be no spam. But a bot will at least fill in some of them.

I realize this is a rather old post, however, I came across an interesting solution called the "honey-pot captcha" that is easy to implement and doesn't require javascript:

Provide a hidden text box!

• Most spambots will gladly complete the hidden text box allowing you to politely ignore them.
• Most of your users will never even know the difference.

To prevent a user with a screen reader from falling into your trap simply label the text box "If you are human, leave blank" or something to that affect.

Tada! Non-intrusive spam-blocking! Here is the article:

http://www.campaignmonitor.com/blog/post/3817/stopping-spambots-with-two-simple-captcha-alternatives