Simple answer
If the IDs of compromised PCs can be lifted from the DDOS or the spam-emails, prosecute the owners of said PCs for aiding and abetting. It's the only way.
Users of vulnerable systems need to wake up and either replace those system or bring their security up to snuff.