First . . . define "on our site." Message board, contact form, account registration form?
A basic premise: spammers always want something. If you can figure out what those motivations are, and take away the motivations, they will move on to greener pastures, which is the best we can hope for.What I mean by this will become apparent.
IME a Captcha only provides temporary relief, and they **can** be broken by bots, I've seen it happen in a vBulletin install. If it's a message board, by all means, use the captcha, but you should also be able to add a custom field. Second, like it or not, moderate signups.
In a message board environment, they want to get in and start dropping spam links. If you moderate, spammers will figure you're too much trouble and will delete their posts anyway.
If it's **anything else** - a contact form, account registration form **any** input form, especially if it results in an email being sent - it gets easier.
Most of these attacks have a certain "flavor" to them - they want to link drop. They will use standard links, encoded links, BBcode style links, but you can identify it easily. Step 1 is to log all input coming from your forms. Open a test file in a private location, write the raw input to it, review it often. This is required to get the exact pattern of what they are up to.
Step two is to accept only what you want, throw everything else away, then build a list of common patterns to trigger an exit if those patterns are found. On exit, just a simple message: "invalid input found, no email was sent. Action logged."
This simple method will stop most of them; they will give up and realize they are wasting time on you.
I have never had to resort to a Captcha, creating a barrier for your users should be an absolute last resort.
Two cents on IP's: for spammers, they are likely compromised computers/servers, but for many legitimate users, their ISP dynamically changes the IP as needed.