A registration form is somewhat different from any other form that you might have on your web site. By filling out that form your visitors are registering themselves with your site so as to gain access to something on subsequent visits. By making them register you are asking them to identify themselves in a way that will allow you to tell who they are on subsequent visits.
The main issue that you have with registrations long before you consider the issue of spammers is making sure that the person who fills out the form is who they claim to be. Even if spam didn't exist you have the issue of whether or not the person filling out the form is actually supplying their own information or information belonging to someone else.
One potential problem you have if you don't properly identify the person filling out the form is if you send emails to those who have registered. If someone fills out the form using someone else's email address and you send out emails to the address supplied without checking that it belongs to the person who supplied it then you will then be spamming the person the email address belongs to. Yes there are some countries that encourage spammers by simply requiring them to include a spam me more a.k.a opt out link at the bottom of each email but those countries with proper anti spam laws require that you confirm that the email address belongs to the person who registered it and that they want to receive your emails before you send them. Ethically you should do this whether your country has proper anti spam laws or not.
There are a couple of other ways that people might ask to be registered for your site without their needing to fill out the registration form on the site. One is if you have a physical store and they register by supplying their information to you in person in the store and the second is if they contact you by email asking to be registered. Giving you the email address in person means that the chances that the address belongs to someone else is greatly reduced but not completely eliminated but it does mean that you have something in writing that identifies the person who gave you that email address and so do not really need to check it further before completing their registration. Where the request comes via email then you have their email address on the email itself as the sender and so already have confirmation of their email address.
So it is only where the registration is done via the registration form that you have the possibility of the email address not belonging to the person who filled out the form and where you don't have any other way of identifying the person who filled it out. So in this situation we need to confirm that the email address belongs to the person who filled out the form before we complete their registration. This process is called double opt-in. They opt in the first time by filling out the form. We then send them an email requesting confirmation that the person receiving the email is the person who filled out the form. They then opt in for a second time by clicking on a link in the email to confirm their registration. So at this point we have confirmed the email address for that registration.
It doesn't really matter which piece of information we confirm about the people who register on our site. From the site itself confirming the email address is the simplest solution. If they register in store then confirming their address or their credit card number will be the easier alternative - which is why we don't need to worry so much about confirming their email address.
Sending one email to an unconfirmed email address where that address has been included on our registration form is reasonable. That it was used for the first opt in is sufficient to allow us to send that one email without it being considered to be spam. If the person who receives it wasn't the one who registered then they will not click on the confirmation link in the email and that's the last they will hear from us as the registration will not be completed and so will not be included in subsequent mailouts. Only when they confirm that they want to receive further communications by completing the registration will they receive subsequent emails.
By following this process we ensure that the emails we send are not spam (regardless of whether or not there is any legal requirement relating to spam). Of course someone who registered may forget that they have registered and start considering the emails to be spam but there's nothing we can do about that. As long as we have provided a way for them to opt out when they decide they want to cancel their registration it is up to them to do so.
So what has all this got to do with CAPTCHA? Well the double opt-in process by itself is an effective unobtrusive CAPTCHA. Spammers are unlikely to specify their own email address when filling out the registration and so will not be able to complete the registration. If the email address belongs to someone else they will not click the link to complete the spammer's registration. Even where the spammer provides an email address that they have access to they would still need to access the email and click the link to complete the registration and that basically makes it a manual process since a spambot that can fill out the form is not going to be able to click the links in the emails as well. Also it serves no purpose for the spammer to use their own email address when trying to register for hundreds or thousands of accounts.
The only spam that could be generated through a spammer filling out your registration form multiple times would be if they were to start multiple registrations using the same email address. By doing that they could hope to get our site to send hundreds or thousands of emails to the one address asking them to confirm their registration. I can't see any point in them wanting to do that but the simplest way of avoiding that issue is to require that the email addresses be unique. The second attempt to register using the same email address would fail because the address is already recorded even though that registration is incomplete.
By implementing double opt in and by retaining all of the incomplete registrations we ensure that our site will only ever send one email to any email address without the address being confirmed and the registration completed. All that a spammer could achieve by having their spambot generate thousands of bogus registration requests would be to add entries into our database locking out the thousands of email addresses that they have used. In the rare situation where the real owner of one of those addresses tries to register and finds that they are locked out because they deleted the email to complete the registration when the spambot used it a year or two earlier is for them to contact you by email requesting to complete their registration. This puts them into one of the alternative situations mentioned earlier where they have effectively already confirmed their ownership of the email address.
So the worst that a spammer can do using your registration form is to generate thousands of emails asking people to confirm registrations that they never requested. To avoid this causing you to be identified as a spammer by having your site send out huge numbers of almost identical emails in a short time (even though they are rather useless to the spammer filling out the form) would be to test the IP address the requests are coming from. While an IP address does not uniquely identify a computer (since companies may have thousands of computers sharing the one external IP address and an individual computer can have different IP addresses at different times) it is sufficient for the purpose of flood control. If we only allow one registration attempt from a given IP address every ten minutes then the chances of genuine registration attempts being locked out would be unlikely and the spambot would need to change the IP address of the computer it is sending from before being able to successfully send another.
Between these simple tests implemented in our database we have an effective way of telling the difference between real people wishing to register for our site and any spambot that is simply filling out any form it can find in an almost completely unobtrusive way. A more obtrusive CAPTCHA in the form itself is unnecessary.
This article written by Stephen Chapman, Felgall Pty Ltd.