First, to enable Captchas you need the captcha module. Don't get fooled by the documentation stating it requires textimage module. It doesn't. Instead it serves simple, text based captchas. I personally prefer text based captchas over image based, since they are a lot less error prone, and they are accessible to (color)blind people, too. Additionally, as I will explain later on, image based captchas can as easily be bypassed as text based ones, so they don't provide additional security.

Image Captcha

How do robots solve challenges? Well, first of all, there usually is no intelligence in a robot's strategy. That is they don't try to solve the riddle by trying to parse and understand the question, but usually delegate it to a human beeing, like this: If you - as a spam bot - find a captcha, that is in this case: a text field named "edit[captcha_response]", read the label's text and carry it over to a special server. Wait until the server returns an answer to the challange. Post the answer. The server now will use the question to pose a captcha itself to the next visitor of a highly frequented site, for example a free porn site.

Image based captchas can be bypassed the same way - if the image cannot be simply read using Optical Character Recognition, better known as OCR (Yes, the same way your scanner reads documents). This is not rocket science, actually it's also available as an open source library.

Math Captcha

If properly configured, the captcha module asks a simple math question like "what is 2 + 8". Each operand is between 1 and 10, so the result is between 2 and 20, with a higher posibility for values near 10. One should think, this won't pose a challenge to a spam bot, hence it does. From my experience, comment spam was dramatically reduced: Only one spam bot managed to bypass the catcha, posting around 1 comment spam a day.