The best solution so far has been to request the browser to sign the request with a key-pair sent from the server. A browser can be “asked” to identify itself with an ajax request to obtain the server’s public key, and a one-time token can allow for it’s signature of the action – whatever it is: creating an account, posting a message, uploading files, clicking through all the pages of the site really fast (in script-like fashion), etc…

I am very much against all forms of CAPTCHA for all the reasons you’ve highlighted above and more. They are anti-user, and they don’t really provide any real security, unless your idea of security means that all humans can be trusted whereas all machines/scripts can’t.