Botnets are actually just about peaking. Consumers are, increasingly, locking down their machines (though prompted by more visible infections of more overt viruses and spyware), and newer computers and operating systems have had firewall capabilities and the like shipping with them and enabled by default for a while. As older, infected machines are replaced botnets will start weakening. Common malicious outbound traffic patterns might become targets for filtering by ISPs (hopefully without impacting user-desired traffic, such as p2p, but we know how likely the ISPs are to disrupt that intentionally and then blame it on spam filtering...) and e-mail itself might be superseded by a pseudonymous, sender-machine-address-authenticated form of mail.

Or we might simply see a rise in webmails and forwarding services that will do something like this:

Alice sends Bob an email, to his address at Gmail or a forwarding service or whatever. The service has no record of Alice as one of Bob's contacts, and as a result, the message isn't simply sent on for Bob to read yet. Instead, an autoreply is sent to Alice that directs her to the service's Web site. Once there she encounters a captcha. If she proves she's human, the message is released from quarantine and future messages from Alice to Bob encounter no obstacles. Unless of course Bob tells the service to block Alice or put her back on "probation".

This requires some way to identify Alice, so the system would require the captcha authentication for every message with any irregularity in the Received: header fields or no reverse lookup on the source IP. Otherwise, after one message is allowed through, future messages coming from the same IP sharing the same From: are passed through.

The effects on spam are as follows:
1. Spam sent directly from a consumer broadband address, generally from bot-infected PCs, produces a reply email that probably bounces (the errors-to or whatever address is phony), and nobody shows up and passes the captcha within the requisite time (say, one week). After a few such failures from the same source IP, it's blanket-blocked by the forwarding service and the spam doesn't even cost that service much anymore. None of it reaches a potential buyer/scam-victim/whatever.
Some of this spam may also be blocked by an ISP blocking outbound traffic whose destination port is 25 and source IP is a customer's machine (regardless of source port).

2. Spam sent via an ISP's mail exchange gateway is susceptible to being blocked readily by the ISP, which can terminate accounts misused to send spam through its gateway in the traditional manner. "Spamhaus" ISPs (ISPs that let users spam with impunity) get blacklisted as usual on the wider 'net. The forwarding services and webmails block them entirely, or filter most of the spam with the captcha and the few where the spammer actually deigns to authenticate as a human get someone mad who then has that sender blocked from sending to them. If too many combinations of from and IP with the same IP are blocked or captcha'd the ISP may be told to shape up or be blanket-blocked altogether.

Notice that none of the above depends in any way, shape, or form on filtering (bayesian or otherwise) that might produce false positives. The only "false positives" occur when people send mail but either use a bogus reply-to or don't bother to verify they're human the one time. The mail can't have been that important, then, can it?

(For the record, mail sent to report spam using "abuse.net" did an authentication thing like this for a long time, and perhaps still does. It didn't use a captcha; it just authenticated that the message had a valid reply-to before whitelisting that sender from then on. Otherwise the service could have been abused to spam sysadmins. Adding a captcha makes it even more robust.)

Updating what's already out there can never "fix" the problem, because it would never be installed by the vast number of non-updating systems. After all, trojans disable autoupdate, and before XP SP2, it didn't run entirely by default at all. And while free OneCare for all is a nice idea, most viruses and trojans are difficult to remove without offline recovery. Shipping everyone a CD that runs a scan outside windows and cleans up would be a great idea, aside from self-updating viruses, and you can actually make a CD like that with AVG and BartPE.

With the release of XP M$ added full support for the TCP/IP standards for raw sockets - full total support (for an Open Standard, no less!).  Sounds good, but the only part of the TCP/IP stadards that wasn't already in Win2K was the raw socket commands.  These are _only_ used - very sparingly - by Sys Admins/deveoplers for testing.  They are fully implemented on Unix/Linux, and while "nice to have" on Windows, they are not required, and there was no major push from customers for it.  Reason is they are very dangerous in that they permit remote execution.

Add to that the wilful/bizarre/short-sighted/pick-your-own-adjective decision by M$ to essentially force all but the most tech-savvy users of XP to run in Admin privilege mode all the time, and bingo, M$ made every run of the mill new PC as attractive and useful to bot herders as the most powerful Unix servers.  In fact often more attractive, as they are both less likely to be discovered, and more unused CPU cycles.

This scenario was predicted, and brought to M$ attention before release of XP in case it was an oversight, but they went ahead and released it anyway.  They have now finally put in restrictions to this access of raw sockets, but only for those systems running XP SP2 _AND_ who've installed a required later patch _AND_ who weren't infected before that, or who aren't infected while doing their initial installation and patch updates!  (See http://www.grc.com/dos/intro.htm for the entire history, including a posting from a bot herder of the time rejoicing about all the new targets.  This is also a good link to learn about bots if you have the time, Steve Gibson infiltrated the IRC bot networks at one time, and exposed many of their conversations.)

Notice that most of the "very good" captchas have the caveat "not always human-solvable", which is damning for a site like this. The ones that don't do make excellent references, but even more than that, the problem boils down to: what percentage of the current spammers are going to see my site as worth the trouble of OCR? Given that most of the current spam is random link spam, probably generated by bots trawling the web for submission forms. So the question is how much can you stop, without costing too much time or money.

For now, relying on botnets being stupid should be sufficient. They don't generate monthly reports, so sites that implement captchas may be entirely off their radar for months or more. That means even a constant word can cut marketedly into the spam! In fact, I bet the subject requirement already helps. They also don't run javascript, so very basic javascript-based captchas (where the server generates both an image and the javascript to solve it) will be sufficient to stop them cold for the time being. I got interested in it so I wrote a proof of concept or two, it isn't hard at all.

Early implementations of the concept have tended to be plagued with accessibility problems; but not some modern ones. (Check out blogspot comment posting. Note the wheelchair button next to the captcha? Try it.)

5. Cool. So, if I already hate blind people (see 2), I can now hate 95% of the internet's users. I am so ready I can already taste the hatred. I'm salivating just thinking about all those souls I can hate. Oh wait... they have no souls because they use Windows.

And let's get a list of ISPs that block port 25, either totally or until request:
AT&T
BellSouth
CableOne
Charter
Comcast ATTBI
Cox
EarthLink
Flashnet
MediaOne
MindSpring
MSN
NetZero
People PC
Sprynet
Sympatico.ca
Verio
Verizon

Attempting to control or protect computers on the user side, or front end, doesn't work because not everyone knows how or is aware that it can be helped.  I'm not smart enough to know how to solve the the problem on the back end, the bad people who produce the spam, viruses, etc., but it seems that would be a better solution.  Extremely inteligent hard working people built the Internet.  I'm sure that there are some people that can come up with a way to make it more secure.

However, I must point out to some of us here in the discussion that the VAST number of users are not capable of cleanly rebooting let alone understanding this issue IMHO. If everyone was forced to understand these "toasters" as would be required in order to self service their bot-ready boxes, there would certainly be fewer doctors, lawyers and Indian chiefs.

"* Optional added paranoia: Add a timestamp as a hidden field and include it in the hash. Make the form expire if the timestamp is too old. Give users a way to submit the form again when the form expires, such as by returning the form pre-filled with the data they entered last time but with a fresh hash."