About 1000% better than completely open signups, but it’s not a silver-bullet. Just about all of the bot infected instances I’ve heard of were due to open signups. It’s relatively easy to interface with the lemmy API in that case and create a new account, scripting this to create thousands of new accounts in minutes (potentially) is also relatively easy. Having a captcha disrupts that easy process. It can still be circumvented, as captcha has been circumvented before, but every small roadblock like this can deter automatic bot creation on a particular server; they’ll just target one with easier signups instead. Hope that helps explain it a bit at least.
It can stop the most basic ones, but it’s not hard to bypass with optical character recognition (OCR).
There are talks about implementing mCaptcha which would be harder to bypass.
Captchas can’t prevent bots, just increase their cost.
There’s plenty of software out there that can defeat captchas. Not perfectly, but it doesn’t need to be. If it’s 10% accurate, the bot only needs to try 10 times to get in.
You can also pay people to solve them, there are services for that.
This this the relevant discussion and dialogue surrounding the direction they went to keep it self hosted and open source.
I think it depends on the server version for each instance. 17.4 has a crappy captcha. 1.8.0 has none because it was crap and easy to bot. 1.8.1 isn’t out of testing and I haven’t interacted with that yet.
Edit that being said, manual sign up approvals and email verification are helpful tools to combat this.