Mind you, it would help if some of the anti-abuse groups would band together under some umbrella organization that ISPs could join. Botnet researchers, SPAM fighters, etc. That way there could be some sort of good housekeeping seal of approval that ISPs can use to competitive advantage in the marketplace. At that point, money starts to talk and there is an economic incentive to clean up your act and get that "seal".
What would help more would be if people realized that worms and viruses aren't like crack, they're more like biological WMD. As such, it is unlikely to be a productive solution holding the city where the WMD are being delivered liable. That becomes a game of legal whack-a-mole. What is needed, instead, is to hold the companies selling the technology used to build these WMD liable. If companies that made vulnerable OSs were held liable for the damage caused by those vulnerabilities, you would rapidly see $$ make a BIG difference in the security quality of OS Software. Why do we have seat belts in every car manufactured today? Because auto makers started getting held responsible for injuries caused by the failure to install them. As much as I think product liability law, especially in the US, has become insane, the software industry (where it so far hasn't really been applied) is one area SCREAMING for this to happen. Eliminate (or even significantly reduce) the number of systems being sold with virus friendly toolkits and features enabled by default, and, you will go a long way towards reducing the spam and virus/worm problem. Owen -- If it wasn't crypto-signed, it probably didn't come from me.