One could imagine changing the paradigm (never easy) so that the normal Internet service was proxied for common applications and NAT'ed for everything else... This wouldn't eliminate all the problems, but would dramatically cut down the incident rate.
If a site wants wide-open access, just give it to them. If that turns out to cause operational problems (due to open mail proxies, spam origination, etc), then put 'em back behind the relays.
guilty until proven innocent, eh? thanks mr ashcroft.
Randy, are you objecting to the model for initial connectivity, or the throwing them back behind relays w/o a formal trial?
the former, see previous post about the e2e internet if you can actually diagnose bad traffic, then you may have a right to act randy