No perfect solution exists, but the following may help.
1) Parse the logs of your web application and ban any IP that attempts to create multiple accounts. Not great because you may have multiple users sharing the same public IP. It only works ok if you automate it via cronjob scripts.
2) Require the user to provide an external means of identification (such as an email address or a phone number) whose existence must be verified before his account is activated. Not great because bots may use disposable addresses/numbers, it delays the activation for legitimate users, and it requires more effort to implement than 1).
3) Alternative capchas. If your site is not that big of a target, you can get away with some naive captcha (such as Captcheck) without annoying your users too much. The problem is (as you have already noticed) naive captchas are not that hard to break for persistent bots; meanwhile complex captchas are bad for users. Maybe try different capctha solutions until you find one that sticks.
Martin wrote:
But what useful methods exists that prevent spamming a HTML signup form from stuffing the database with useless signups?
