If you have yet to have your captcha overrun by spammers I wouldn't worry about it too much. More than likely you would encounter a simple blow-thru technique where humans on different sites are tricked to answer the captcha for the bots, and the results are passed through.

I use a simple captcha which is javascript that simply tells the server whether someone is at the keyboard typing and clicking buttons which, to date, has been 100% but probably wouldn't last long if it became widely adopted.

I use a simple question and answer system on about 20 websites, which so far is also 100%.

Ok I just want somebody to tell me how the following scenario was possible (because i did it using C# and i was able to bypass the CAPTCHA challenge of a website):
The C# bot created a request that is 100% similar to a legitimate HTTP request done by a human (which is me) and captured by an HTTP sniffer.
This request could be a result of a question / answer, an image or whatever.
I liked incrediBILL way of using javascript to tell the server that somebody is typing. But couldn't this be cloned over and over by a bot? just inquiring.

Anything could be done by a bot, but that assumes your site alone is worth their time to mess with. There's a few tricks to the anti-spam stuff I do, it's deceptively simple but has kept the crud off my sites for years now.

I have one high value target and I sat one night watching someone from a Romanian IP address feverishly hack at my anti-spam stuff for a couple of hours and he found one loophole which I quickly closed and never had an issue with them ever since ;)

BTW, anti-spam when done right isn't a single solution but a series of checks.

For instance, is the spammer using GET or POST to submit? Many still try to use GET and simply requiring a POST will jam them up for a while.

Does the spammer accept your cookies? Assuming an actual visitor came to your site and received the page in their browser they would also receive a cookie. If someone tries to POST the form without the cookie it gets rejected.

Does the spammer send a referrer? Assuming an actual visitor came to your site and submits the form from your site, it should have the referring page along with the POST and the COOKIE.

Then add some javascript to record whether there is any keyboard or mouse activity and send it to the server. Now you require a POST, a COOKIE, a REFERRER and a KEYPRESS or MOUSEMOVE to complete the submit, so on and so forth.

Put the javascript in a file that needs to be loaded separately from the server as many bots don't load secondary files. Using PHP handlers it's trivial to detect that the javascript file (and CSS file) was loaded as another 'tell' that it's actually a browser and you can track that in the session.

Additionally, check the user agent doing the submit. If it doesn't start with Mozilla, Opera or some cell phone user agents kick 'em out.

See how you can easily build up a few simple rules and requirements that harden the form?

Obviously a real hard core determined spammer could emulate a lot of this but then it slows his efforts down, decreases the amount of spam he can send, and takes more time to figure out what your site requires.

Just to make life harder, I randomize some of the stuff above such as field names, page names, etc.

Best part is it'll easily bounce the lame spammers.