I use a honeypot. Basically, it’s a form field that’s set to a width/height of 0, with “visibility:hidden” in the CSS. The label is set to instruct the end user to do absolutely nothing with the field – to just ignore it – so if someone using a screen reader comes along, they’ll know not to bother with it.

If any input is put into that field, it won’t be sent. Spammers generally auto-fill every field there is, so most times, it turns away the spammers right then and there. A few do get through, but not many. No need for CAPTCHAs, no need to depend on a third party service (and if you do use the 3rd party service, it’s just a bonus level of protection).