@meetdilip I'm not sure on how this exact plugin works other than checking against project honeypot, but Project Honeypot & http:bl does more than just look at IP. It also checks the contents of the Header Request for things like the username & password used and if they match the honeypot, human users with blocked IPs are usually sent to a custom 403 page that contains a link for them to "unblock" the account, this basically asks them to fill out a range of spam busting questions, this then whitelists that IP. However I believe this is done by an apache extension, one for nginx doesn't yet exist. In addition, the http:bl can be set to only go back a set number of days, my SMF forum is currently set to 30 days and with a spam level of 25 (defaults) and it's blocked 1100 spam registrations in 7 days, an example has been posted at the bottom of this post.
Captchas haven't worked for years, I don't even bother using them in production, you have to make them so complicated that humans find them harder to complete than bots. So they're a waste of time, unless you create your own algorithm. Google have broken their own captcha system (the one that uses the picture of a house number and a string of numbers) so it's only a matter of time before bots can.
There's no 100% effective way of removing spam, even a Q&A could be bruteforced, it's the combination of many small spam protection techniques that make it effective. Integration of Q&A is definitely one method. Making it look like a password verification box, but requiring a completely different value, has stopped 80% of my spambot registrations.
In the below image, look at the entity field, passwrd2 is my question and answer form. Whether this is possible in this plugin, I'm not sure, we would have to ask the creator.