I’m currently working on a web which uses a contact form. To avoid Spam, I use reCaptcha which is a very good Captcha system (even better than the one I used for the blog comments). You can see it in action in the contact form of this blog.
The problem with the default reCaptcha output is that it does not validates XHTML 1.0 Strict because the use of iframes. But you can change the code at the recaptchalib.php file (available here). This problem persist at the current version (1.10 at this moment).
Replacing the code at lines #122 – #128 with:
will do the trick