Common sense?
If spam costs $64Bn a year and earns the spammers $1Bn,
wouldn't it just make sense to pay them $6.4Bn not to spam
and to patch their bots?
:-)
Of course, this would never happen... but ISPs should be forced to take more responsibility by blocking outgoing port 25 for example for their subscribers, unless they request it. However, this wouldn't stop DDoS attacks on other ports or form, referrer spam etc.
I wrote a nice system that blocks ssh attacks and sends a nice mail to the owner of the ip block, and it has had some success in notifying users of compromised machines.
I expanded it to do the same for spam and other mail/ftp abuses... so far sending out hundreds of notifications per day. Most fall on deaf ears, bad abuse addresses etc, but some do get through to some responsible providers who at least make an effort to clean up some of their zombies.
The whole reporting system needs overhauling, and records need to be kept up to date. Implementing such a global and binding system will not be trivial, and it would be a prime DDoS target for every criminal on the planet enjoying the current free-for-all. At least it would dilute their resources to attack elsewhere.
If we can start to wrestle the zombies out of their hands then they will have less ammunition to abuse in the future and be easier to track and manage.
The whole situation now is just such a massive problem that no ISP has the resources to keep their networks clean because they are just trying to survive on minimum profit margins through misguided competition on price and bandwidth while not emphasizing security and user welfare.
So, if they need a hand in setting this up, I'm in...