Then established users can still post functional links. If any of those abuse the privilege, you can simply yank it, or suspend the account, or whatever.

Trickier would be to still let (some) anonymous users post links. Disallowing link posting by anons from particular IP ranges, perhaps -- any time a spammer starts abusing an IP range, it gets added to the black list. Innocent people from that range can still post comments, but not ones with working links, (not anonymously -- they still can if they register and make a few posts).

Another angle of attack is to figure out how the captcha might be circumvented. The obvious answer, that the guy's posting manually, is not applicable if he made over a thousand posts in only a few minutes.

Another, but it might not sit well with some people, is to silently reject foreign-language posts. Requiring posts to have a minimum of five English words from some dictionary would work for a while, especially if this comment got edited or deleted once you read it and it was unclear why the posts in question were failing. Eventually someone would guess and start adding random English-language junk to spams to get them by. Requiring the whole post to be fairly close to English-prose character-frequency statistics might work, for longer posts anyway.

Changing the captcha code a bit might break the lozer's script without affecting anyone else.

Most of the above could be applied solely to posts with links -- even the captcha itself could be required solely on posts with links, for that matter. All of the posts we seek to prevent have links, after all.

I assume that this:

<input type="hidden" name="patch2007b" value="9.6d934cffda03be.17.57AjV7.5.7ddf4e908c0e110aac.17.ExknXR" />

is intended to detect scripts that just fill/change all form fields? Making it non-hidden and adding a (human-readable only!) note elsewhere on the page saying to leave the contents of that field be might help trip up such scripts -- the smarter ones will look for type="hidden" and ignore those fields, but might edit everything else.

Changing the name of the big textarea to something other than "comment" might trip up some of the stupider scripts. (Smarter ones will assume any non-hidden textarea is a comment field, and flood all of them with copies of the spam message.)

Best bet, though, may be simply to reject anything with more than a certain proportion of the text part of links. Most of the spew I've seen here fails a "less than 50% of the visible text is blue and underlined" test, and none of the legitimate comments.

P.S. Is "9.6d934cffda03be.17.57AjV7.5.7ddf4e908c0e110aac.17.ExknXR" an encoded representation of "Yellow", by any chance? Or a hash of same?

If so, the captcha may be bypassed by anyone who manages to reverse-engineer the coding. In the case it's a hash, the bypass would be to change that form field to the hash of a known string, and put that known string in the visible captcha field (patch2007a), requiring only knowledge of the hash algorithm.

Better would be for the 2007b field (or the prior, "form key" field) to be temporarily stored in a database table with the correct answer, at the time the form and captcha question get generated at the server side; a submission has the submitted answer compared with whatever is stored with the key field in that DB table. The code is then not a hash or any other discernible function of the correct answer, but instead a magic cookie.

The other apparent way to beat the captcha is to brute-force it -- parse out the six possible answers and pick one at random, then try to submit. Out of 6000 attempts, 1000 or so will succeed. This can be blocked in a few ways:

• Images instead of text, at least raising the bar to require OCR to parse out the possible answers.
  
• Non-multiple-choice-format questions, such as math problems (ENGLISH-LANGUAGE WORD PROBLEMS or they could be fed to "calc.exe"!); they'd have to completely replace the current multiple-choice ons.
  
• Automatic temporary IP bans, say for an hour, every time there are e.g. three wrong answers in a row from the same IP. That slows the flood from brute-forcing to a trickle -- you'll get one or two successful posts, then nothing for a blissful 60 minutes as the bot gets itself temp-banned, then one or two successful posts, then nothing. For extra added fun, ignore the last two octets in this, so three failed postings (all due to WRONG CAPTCHA ANSWERS, mind you) from IPs that all start with 183.36 will result in all posts from IPs that start with 183.36 being rejected for an hour. (Don't accept a post with an answer of "--fill me--", but don't count it as a "strike" either; perhaps only count a "strike" if the answer submitted is identical to one of the five "wrong" answers. This will make it virtually incapable of punishing a legit human, but still guaranteed effective against scripts. Relax "three strikes in a row" to "three strikes in a one-hour period" on top of that. Bye-bye bots -- the few that trickle through can be mopped up by hand due to their low rate, unless someone goes after you with a large distributed botnet, and even there, what would have been a tsunami becomes a mere flood.)