Hi, i am trying to think of ways of securing or at least "trying" to put some extra security measures in place on my websites sign up form.

I understand that captchas can be broken very easily and more importantly they could actually stop a potential user from signing up to my site.

Points To Note:
- i have strong JS and PHP validation in place on the sign up form
- user's accounts stay in 'pending' status until the click the validation link that was emailed to them (changes to 'active' once the validation link is clicked)
- a cron runs every hour and deletes all 'pending' accounts that are older than 72 hours

I cannot really think of any other security measures that i could put in place, without really annoying the users, and i understand that spam / bots are just part of everyday life on the internet...

However, i would like to try and detect when suspicious activity occurs on my sign up form... so i was thinking of implementing the following:

When a user submits the form, check to see if the IP address has already created an account within the last 7 seconds... if it has, display the a captcha

I understand that a whole college or building might be running off the same IP address, but the worst than can happen is that a few users who create an account close together will have to enter a captcha... and even for a very popular site, that percentage would be very low as it is only used for sign up and not for any other function on the site

I am interested to hear whether anyone has any better idea (which i am sure loads will have) or what you think of my idea, thanks in advance for your help...