23
Some bots have been created that can bypass captcha, unfortunately. Usually these bots are also exploiting a security flaw found in the registration script.
If bots are able to register with XOOPS sites then surely that makes the http-refferer check obsolete (btw im not a security expert, just asking).