I once implemented a "poor man's captcha" that presented a simple randomized question that anyone would be able to answer (ranging from "what year is it" to "what's 2 + 2"). I guessed that nobody would make the effort to write a custom script for this, because the website in question was so niche and the stakes so low -- a very quiet corner of the Internet; I don't even remember what is was, possibly some feedback form that went to a support email. I actually felt some irrational measure of pride when, probably a year later, I was looking at some logs and discovered that some script kid had cracked the questionnaire and was currently using the form to post nonsense text with Viagra links. Someone had actually sat down and written code to crack my terrible solution, and probably spent more time on it than I had (which is to say, more than five minutes). Made my day.

For small scale sites you don't even need to do much that requires human intervention. Most bots (or at least most bot-actions) seem to invest very little in sophisticated techniques and rely instead on finding vulnerable servers by casting a very wide net. As long as that is true, you can filter out 99+% of the noise by applying very simple but slightly bespoke techniques.

As long as there continue to be enough cookie-cutter blog/forum/ecommerce sites out there for the bots to exploit, very simple techniques (JS-populated form fields or request parameters, very basic validation of the HTTP headers, taking into account the rate or frequency at which requests are made, etc.) will quickly and cheaply identify almost all of the bot activity.

Of course sophisticated or dedicated bots will still pose a problem, but assuming you're not just standing up a popular off-the-shelf platform without any hardening or customization, you'll need get pretty big (or otherwise valuable) before attracting that kind of attention.

A reasonable analogy here is the observation that simply running sensitive services on non-standard ports (e.g., not running SSH on port 22) will eliminate a ridiculous volume of malware probes against your system. To be clear, that's no substitute for actual robust security practices -- you almost certainly shouldn't have something like SSH world-visible to begin with -- but given how trivially easy it is do something like to change the default port for services you're not expecting the public at large to reach it's absurd that servers are compromised by dumb scripts blinding probing the Internet to exploit well-known and long-ago-patched exploits every day.

I did that for on an old forum that has been dead for year, I thought spammers would not care enough.

But one of them did! Whenever I changed the questions, bots would stop for a few days, and then start again. Someone cared enough to manually enter the correct responses (no, blind dictionary attacks were not possible)!

This is probably good enough for 90% of websites that accept user content. Then in the small chance it isn't because of growth or some random spammer decided to spend some time on your site, then you can switch to something like recaptcha.