Currently on my website I've been using CAPTCHA for private message conversation reply forms, commenting forms, and almost every form page on the website (that creates new records).

It gets pretty expensive for the server to have to create, draw and store (the text in the db) the CAPTCHA-related info EVERYTIME a form is rendered (even if the form isn't even filled out).

I've thought about having a spam filter or a anti-flooding system for the website, but I'm not really sure 100% of how to implement it. Should I create a table for all the recent requests? Should I create a minimum time delay (say 30 seconds) between form posts?

Even if I don't use CAPTCHA anymore, there's still the problem of bots posting data onto the website automatically ... as long as its between the time periods.

What do you guys have in mind?