The alternative is that botnets can inject html in a man in the middle attack and get real users to solve useless CAPTCHAs anyway. For example, when a user goes to yahoo.com a temporary page may show up that says "due to increased spammers, we need to you do enter a CAPTCHA to prove you are not a bot.

So the user enters the CAPTCHA, then some other botted computer enters it in the real webform.

Basically these types of measures are stupid because any virused computer can be made to do them anyway this is why CAPTCHAs are only 70 cents / 1000, it isn't because people in India are lining up to enter CAPTCHAs at an Indian minimum wage.

If you are powerful enough to MITM arbitrary sites on a user's machine, you can do /much/ better than get users to solve captchas.

At the very least, you can replace all ads on the Web with ads you make money from. And/or you could phish users and steal e-mail/bank passwords. And/or you could replace binaries the user tries to download with malicious ones.

And so on. I suspect captchas are pretty far down on the list of things you'd do if you had this capability. :)

If you do that, then you're only going to get the user to solve a few CAPTCHAs per pwned computer per day (maybe 20 or so if you make it really mean). If that's all you want, this hashcash implementation won't be an obstacle either, but that's a far cry from a million spams a second.