In my case Barry's tip also helped.

There are many alternatives to Captcha, but it seems that with time, all of them are cracked.

One way to at least slow the spammers would be to install 5-10 different captchas, and select randomly which one will appear. If the bot has go through many repeats before it finds the one it knows, it might slow down the process.

Right now XOOPS is installed with one Captcha, so if the bot knows that it is a XOOPS site, it just pulls the right hack and registers. If the captcha is one of possible 10, then it will be harder to guess.

Yes, they've all been hacked including the default one with XOOPS as well as the reCAPTCHA hack for XOOPS. The reason that I use reCAPTCHA is because it's the only one I've found that works for people of disability (particularly sight) which is a requirement for most of the sites I work on. The other alternatives suggested, including the new reCAPTCHA versions, require somebody who isn't sight disabled.

We'll see how Barry's 2-step registration tip goes for now (none new since implemented yesterday) and I'll look at implementing the StopForumSpam piece in the future because I'd like to have a single-page registration solution for users.

We're also using it on the xForms contact us module but they don't seem to be using that yet. I must admit I found it interesting that somehow these folks have setup scripts that allow somebody in some other country to sit at a computer screen and "solve" these reCAPTCHAs for their spam bots at $0.05 each.

And no matter how hard one might try, it's pretty hard to keep folks from figuring out that you're running a XOOPS site. Besides changing code in every template and using the xoRewriteModule to change all the URLs, there are a number of other signatures that would be difficult and/or time-consuming at best to remove.

Step by Step
Tutorial final