This is a beautiful attack on CAPTCHA (as it is currently often implemented) and only shows that there is no “ONE” solution to rule them all. The attacks against rel=”nofollow” as ineffective against spam now apply to CAPTCHA. Blocking automated spam in all its forms will be a continuous iterated process encapsulating multiple combined defenses (such as rel=”nofollow”).
And to the haters that are pissed that Casey published this, get over yourself. You need to realize that his post shows that CAPTCHA (as it is currently implemented) is a wall of sand. If it was this easy for him to beat CAPTCHA, a black hat out there probably already has a similar solution. Ignorance is no substitute for security. Now you know it can be beat quite easily, go fix it and quit whining.
Thanks to Scott Reynolds for pointing out Casey’s approach.