Many websites today are moving from the captcha image validation to riddles or formulas that a user needs to solve. Ingenious spammers can easily overcome captcha authentication by using technologies such as cURL to remotely capture the image via a server proxy and then serve it to an unsuspecting user which will perform the validation on their behalf and then use the same anonymous proxy with the same session id to validate the image.

Example:

1. A spammer wants to create multiple Gmail accounts.
2. Unsuspecting users are registering or posting on one of the spammers sites.
3. Once the registration process starts the spammer’s server initiates a curl session with the gmail server via anonymous proxy
4. The script then opens the registration form and fills in all the necessary fields and copies the captcha image.
5. At this point the unsuspecting user is presented with the captcha image that was stored locally.
6. Once the user inputs and validates the image the script resumes with the same session id and passes the captcha value back to the Gmail registration form.
7. A new Gmail, Digg or any other type of access is now granted to the spammer.

This is why in my opinion captcha is useless and the use of dynamic (alternating) validation methods is much more effective.