Beautiful; you can even write the code in Javascript so all humans will notice is a <1s delay when pressing the "submit" button".

But - the spambot can simply bombard you with all the possible suffixes, letting your servers pick the one that is correct (and melting your CPUs while at it).

You'll need to restrict the number of retries for the same message, so they'll have no recourse other than simply tacking some random bits at the end and hoping to hit the jackpot. At this point it becomes a balance act between the amount of CPU the spammer is willing to invest, and the amount of time a valid user is willing to wait.

Whether there is a sweet spot that drives spammers away and keeps users in depends on the relative cost of CPU for users and spammers. Now, even if spammers steal their CPU from zombies, it isn't "free" - they may move on to a site that cheaper to hack. But it is still pretty cheap...

It would be very interesting to see some site trying it in practice.

Look up "TEMPEST", e.g. in http://en.wikipedia.org/wiki/TEMPEST - this isn't merely "old news", this is "so ancient it dates before I was born", and I am old enough to have used punch cards.

This is why some computer rooms will never contain wireless peripherals or wireless networks or Internet connections; but will have an intimidating sign on the door, and combined biometric/keypad entry, and Faraday cages built into their walls, and a self destruct mechanism, and fences around them, and 24/7 armed guards, and a hot line to a fast-response team on a separate near-by base.

For everyone else, well, when you buy tinfoil rolls, remember to buy enough for your hat _and_ your peripherals cables :-)

Neopmuk was the half-dragon in "Jim Button and Luke the Engine Driver". His mother was a Hippopotamus. Pleasant enough character and all, but I hope the code looks more like the excellent book and less like a half-dragon, half-hippopotamus hybrid. Yuck!