Why isn't the challenge string variable?

The configuration of Comodo AntiSpam has me specify the string used as the challenge (either within a graphic or as a secret code). That means the same challenge gets sent to every sender, and the same challenge to the same sender if they fail on their response (they're allowed up to 3 chances, by default). The same string on every challenge for every retry seems to somewhat defeat the purpose of the challenge-response scheme. Say someone sends you an e-mail, you send back a challenge, and they respond with the correct string. That sender turns out to be a spammer or malcontent that then adds your challenge string to their spam that is spewed from their zombies who all have different e-mail addresses. You send back a challenge to each zombie who then responds with your static and stagnant challenge string. All the zombies properly responded with your string so now you get all that spam you were trying to avoid. If the zombies can phone home, say, through a private chat room to get a list of e-mail addresses to target, they certainly can also get an update string to add to the body of a response to a challenge.

For C-R to work and not be quite so hackable, it would seem the challenge string must be random and contain a jumbled mess of alphanumeric characters (non-case sensitive to avoid nuisancing humans with figuring out if a particular imaged character is upper or lowercase). As it is now, you're giving out the same key to the door into your e-mail account to every sender.