In my travels across the web today, I stumbled across a cool post about beating various captcha security types.  One of the methods referred to PhpNuke and SMF.

My attack against PHP-Nuke is taking advantage of the fact that there are only 10^6 or a 1,000,000 possible combinations of this captcha. It only takes a few minuets to calculate all possibilities. I am storing the results in as a md5 hash in a SQL database for speed. The entire SQL table needed to crack this captcha with 100% accuracy takes up less than 43 megabytes. After the table is generated it take only a few seconds to crack a captcha. This is a time-memory trade off very similar to Rainbow Crack. Let me be very clear that I am not relying on MD5 for security and in fact a faster and much less secure message digest function like Tiger is better suited for this task. MD5 is being used as an attack tool because it saves a lot of space and time verses storing the entire image in the database.

Read the Rest of this Article

In theory, anything man made can surely be destroyed by man.  However, I don't know if it would work with the type captcha that RavenNuke or Evo uses, but the I am sure it is possible with minor variations.  My question would be what is the next line of defense?  Some thoughts here are these:

For User Registrations

Make sure you require email validations.  It surely will not stop a spammer, but might slow them down some.

Admin Login

Make sure you are guarded by .htaccess auth possibly from Nuke Sentinel.  This is just one more layer of protection for your site.  They would have to bypass that to even defeat the captcha and hammer the admin login.

Comments & Downloads

Comments may be of some concern, possibly a approval setting where admins must approve comments similar to a Wordpress blog.  Downloads is not a big big deal, but massive captcha defeat could add tons of stress to the server.

Like I said above, any system is beatable, but a second line of defense (or maybe a third) is not a bad idea.