none of this works if spammers use dubious means
(e.g. viruses) to harness home machines (and by implication
the authentication info that allows the home user to send emails)
to send their spam for them.

doesn't this already happen?
or is it just for the DDOS attacks?