What kinds of mechanisms exist for keeping track of the origins of something of this nature?
Normally that's not very productive as they are mostly owned boxes that will be rebuilt and reowned in days :(
We could automate the tracing process, like *57 customer initiated trace on the telephone network ($5 per use). But then what? You can track the sources as quickly as you can, but part of the question becomes how long and how many sources do you keep blocked once you have tracked them. Is it one strike and you're out forever. If 80% of the attacks are not spoofed, why not create yet another RBL and keep adding more and more addresses? If you remove the filter after the attack stops, it will just come back or they'll choose a different victim. Do we need te equivalent of a dog bite law for computers. If your computer attacks another computer, the owner is responsible. File a police report, and the ISP will give the results of the *57 trace to the local police. The police can then put down the rabid computer, permanently.