1. Simple mathematical question, e.g. "What do you get if you add five and three?" Answer is processed on the server.
2. Hidden form field that is supposed to remain blank.
3. Blacklist of common spam words.
We still get the occasional spammer but the real problem was our phpbb3 board showing up in the automated spam programs. As soon as we were slightly different than the default install, nearly all the spam stopped.
The interesting thing was that even the built-in captcha didn't stop the spam--it was worth cracking since everyone uses it.
On another forum I used to moderate (I think it was an Invision Powerboards one) I fixed it with a second field asking something like "What makes things fall down? gravity or noodles?" And if they entered gravity it would let them register. It lasted a few years, then a few randomly got in but by that time the forum had died.
Best CAPTCHA ever: http://random.irb.hr/signup.php
If your concern are only dumb, fully-automated bots not targeting your site specifically (which is true for the bottom 99.5% of the web) then you don't need CAPTCHA.
2 and 3 are great for non-targeted attack. 1 is a very weak protection against targeted attack and it's likely an overkill unnecessarily burdening users.
Unfortunately it wasn't allowed because the site owner pointed out that the market the site was aimed at had a reasonable number of people with connotative difficulties - ie, they struggled to follow multi-step instructions.
(Yes, this does mean that computers are able to solve a problem that is supposed to identify a human much better than some humans.)
Even my pre-school self could solve the Sesame Street "one of these things is not like the other".
There are so many sets with an odd-one-out that would only be easily determinable by a human over a computer.