Captchas are a terrible user experience.
[caption id="attachment_490" align="alignright" width="208"] I've seen more captchas like this than I can count.[/caption]
They put the onus of spam protection on the visitor filling out the form and, personally, show me how lazy you are as a site administrator. There are a hundred different ways you can protect your site from spam on the server side - why would you forego these options and force your visitors to jump through additional hoops?
Instead of using a captcha, let's look at two passive things you can add to a form to reduce spam.
In general, humans are slow. This is one of the reasons we invented computers and started scripting bots to begin with - non-humans are quicker and more efficient at completing certain tasks than we'll ever be.
And that can also be their disadvantage.
Add a hidden field to your form that contains the current server time (based on when the form was generated). Then, upon submission, check the form's timestamp against the current server time. If the form was submitted too quickly (say, less than 3 seconds) then a human probably didn't fill it out.
Twitter, for example, uses a similar timer to secure submissions to their API. Most API requests require a server timestamp. Twitter requires the request timestamp be within five minutes of their server time in order to be marked as "valid."
This approach won't work if you use full-page caching on your system, though. So be sure to disable the cache for your form pages.
A honeypot is a trap used to detect bots. It's a form field that, usually, is invisible to real visitors but seen - and completed - by scripts, bots, and other programs trying to attack your form.
A bot is typically smart enough to fill fields labeled "email" with a valid email address so they can skip past validation routines. Like their speediness, this trait can be used to identify and reject submissions from bots.
For our purposes, we rename our regular email field and add a new email field that will be hidden later by CSS.
When viewed in a browser, the entire email block will be hidden from the user - they can't fill in the "email" field by mistake. Even if they're using a text-based browser or a screen reader that ignores the display: none; declaration, we clearly label the field in such a way as it should be ignored.
Bots, however, will fill in the field. When processing the request on the server side, we can reject it wholesale if "email" is non-empty.
These are just two passive routes you can take to secure contact, purchase, comment, or other forms on your website. They're almost entirely transparent to your visitors and thus won't carry the same frustration and distasteful UX of a captcha. At the same time, they're nearly as effective at blocking spam submissions.
For spam that does continue to make it through, you can turn to active prevention techniques like an IP block list or a service like Akismet.
An IP block list is a hand-curated list of addresses known to generate spam - requests coming from these IPs can and should be ignored. You can curate the list yourself, or turn to one of any of the publicly curated lists available online.
Akismet will scan the content, referer, and IP address of a comment or form submission and compare it against a database of known spam. Potential spam submissions are flagged as such and can either be ignored or cached (to allow manual double-checking for false-positives). The service is free for personal use, or there are reasonably priced plans for commercial sites.
Whatever route you take, there are always both passive and active alternatives to captchas. Avoiding captchas will improve your conversion rate and make the experience of using your site that much more pleasant for any visitor who comes along.