Brad, that last comment on your blog post - an ad for a DVD of Magnum PI - seems to have been posted AFTER the guy got through your C/R.

And there's an entire cottage industry in cheap labor places like the Phillipines, that do nothing except respond to C/R challenges and type in fuzzy words from captcha protected signups, at a dollar for a hundred captchas, or something similar.

C/R isn't too much of a defense against other labor intensive spam operations, such as Nigerian spam. It is just that the volume of C/R right now is just too damned low for you to notice any steps at all that spammers are taking to do an end run around them. But if (and that's a big if) C/R does get more popular, you'll notice that its trivially easy to game it.

That kind of gaming of C/R and captchas is entirely besides the elementary scaling problems that captcha faces.

I tend to call it "Challenge Response Authentication Procedures" btw .. makes for a nice, catchy acronym, that.