...and, occasionally, your ISP's "abuse desk." If this function of your ISP costs less than 1 FTE per 10,000 dialups or 1,000 T1's or 100 T3's, then your ISP is a slacker and probably a magnet for professional spammers as well.
Not to try to undercut the general point, but that would imply that Earthlink, AOL, and MSN (for examples) should have a combined abuse department of roughly 1500 employees. Well, perhaps those were poor examples then.
as i told patrick, the numbers are round, and a survey is needed. it's definitely going to be the case that scale will lead to economy, and AOL could most likely get by with only 100 full time "abuse desk" staffers as long as the rest of their service model were optimized to make abuse difficult to propagate. i doubt they will comment in detail here, since the actual numbers are likely to be some kind of internal secret. i know i get far less spam from AOL than i used to, and i've assumed that this is because they decided to address the costs at the front end (in their service model) rather than the back end (in endless cleanup.)
It would be wonderful if it were the case, and while it seems like laziness when we talk about the big guys, most middle sized providers just don't have the operating budgets to not slack at least a little bit.
whenever you get spammed, it's because some isp somewhere is a slacker, and is letting you pay the price for their lack of investment in this critical area. (spam is not unlike route flaps in this way, i suppose.)
But this debate (I'm not debating with *you*) keeps coming around full circle. Perhaps the real social problem is convincing whatever standards bodies and vendors necessary that it is a technical problem.
i think it's clear that everybody wants it to be somebody else's problem.
There seems to be far too much apathy (FUD?) rather than just designing a partial solution, however imperfect, and implementing it.
as the designer of several partial solutions which have been implemented, i agree from experience. spam's assymetric cost:benefit ratio (between a spammer and a victim) really institutionalizes apathy. the benefit to one spammer in being able to outwit a defense is a measurable success in that day's events. the benefit to one victim in being able to erect a defense which stops one kind of spam or spam from one source or what have you is immeasurably small compared to the deluge of other crap that'll come over the gunwales in the same diurnal period. no solution which does not progressively leverage the combined small efforts of millions of spam victims will ever be measurably effective other than in some small locality and/or for some brief instant. see the DCC for an example (http://dcc.rhyolite.com/) of how to build and apply that leverage. (i'm not giving the reference to vipul's razor because i said "millions.") -- Paul Vixie