It's quite sad to still, in 2012, see huge IP ranges of dynamic IP customers who shouldn't be sending email spamming mail servers with junk. Why aren't we just turning these ISP's off, literally dropping their AS blocks, so they can't do anything until they sort out their problems?
My own mail server with a single domain sees 99.9% of its connections being from either dynamic IP ranges (the simple tests of "no valid reverse host name" and "not listed on spamhaus" eliminate 99.9% of all connection attempts!).
And yet I *still* see Google sending me bounce-backs which have been sent by someone else, forging my address in the "from" (so which mail server allowed that in the first place?), Google noticing that it is spam or to an undeliverable address, and then sending back TO ME. Standard practice? What's INCREDIBLY annoying is that when the email is sent "from" me and "to" me, the Google servers include headers into the email which suggest they not only looked up my domain, but read my SPF records and then rejected the message because my SPF records tell it that it's a fake, but then Google BOUNCES IT BACK right back to the fake domain that it knows is fake because it just looked it up. I wrote a script to reject bounce-backs from Google where they have obviously looked up my domain name's SPF record and spammed it on someone else's behalf anyway with a customised message to their mail admins - not that they'd bother to look.
That's not to mention making up email addresses that have never existed, even trying to forge DKIM signatures for my own domain when sending email to it! What is the point in a little home-server guy implementing all this stuff properly, from SPF to DKIM to just plain blocking of stupid amount of connections that are obviously fake, if the big companies don't do the same, don't enforce the same for their customers, and are too stupid to do anything but add to the mess themselves, let alone start cleaning up their customers and blocking machines?
About 90% of the blocked IP's that I bother to go look up are marked as being part of a botnet, and have been for an extended length of time. Just what are the ISP's of those users (who *aren't* all in the legally-unreachable corners of the globe) doing to not know they are listed and to allow their users to just directly spam sometimes hundreds of connections a second to mail servers direct?
We have perfectly good systems in place to DRASTICALLY reduce this amount of junk but nobody is using them. When 99.9% of email fails because of simple checks even AFTER they've arrived at my domain (which has SPF and DKIM records), we need to give it up. But yet what we're instead doing is chasing tails of botnets which would be pretty useless if they couldn't spread email and thereby create funds and attack vectors for their controllers.
When almost every IP I bother to manually look up on CBL shows me instantly that it's part of an established botnet and is known to be spewing spam, sometimes for YEARS, we're just not doing enough to stop the problem.
Implement SPF, DKIM and other measures. Stop being part of the bounceback mechanism with obviously-forged return headers. Block outgoing email from your users unless authenticated to your internal mail server. That will honestly cut out so much spam that it would become quite impractical to operate a botnet in the first place. And we seriously just need a DNSBL with high update rates for such things so we can just block at the firewall and thereby prevent spreading of the infection, attacks from infected machines, and incur such fallout from ending up on the lists that some places will cry if they end up on it because of an internal infection.
What we actually need is just a new mechanism for email entirely, and for people to secure their damn machines. But what's practical is an ISP-level agreement on what to block and what not. Lots of ISP's block outgoing SMTP unless through their servers (or you provide an exception with appropriate guarantees of non-abuse measures), and I've even seen a couple that block SMB ports too. There are just too many dumb home users with no security (or Norton Antivirus, which is pretty much the same thing) causing problems for everyone else and it's about time we started shutting them off and cleaning them up.