I like the question based CAPTCHA. I have a low profile wiki where it is enabled for registration, and questions keeps spamers away...mostly. From time to time there is a renegade human who reveal the answer, and spam bots invade. But than I change the question. Last time I changed it was more than a year ago.
Another good measure would be to put all messages from newly registered users in a pre-moderated pool until they prove themselves.
Overall, I think our fort is holding, we just need a way to summon admins a bit faster.