How Can Challenge Response Deal with Spoofing?

The original premise of C-R is that when spam is sent, you will effectively double the resulting internet traffic, because every spam will result in a challenge (which presumably will be ignored, or at least that's the premise upon which the C-R solution is based). However, if the spammer spoofs a legitimate email address, which I believe is very common, then the situation is much worse, as I illustrate below.

Let's say Spammer Sam sends a spam email to Alice (who uses a C-R system), but spoofs Bob's email address. There are two cases to consider:

1. Bob does not use a C-R system

- Sam sends email to Alice
- Alice's C-R system sends challenge to Bob
- Bob gets puzzling challenge mail and sends angry mail to Alice
- Alice receives this angry mail as well as the orginal spam, as Bob's mail has now passed the challenge responded to the challenge

Two extra emails have been generated (effectively tripling the email load of the original spam), and confusion for Alice and Bob is the result. Alice has also received the spam.

2. Bob also uses a C-R system
- Sam sends email to Alice
- Alice's C-R system sends challenge to Bob
- Bob's C-R system sends challenge to Alice
- this may carry on indefinitely, but one would hope the C-R systems would be smart enough to recognize duplicates and ignore subsequent emails

In this case, neither Alice nor Bob receive any confusing mail, Alice does not receive her spam, but again the original spam has been tripled.