The idea breaks down into 4 easy and 1 difficult steps.
1. Collect IP & timestamp data from various websites
A user, we'll call him Kenneth, browses the web to his favorite site. There he downloads a small script and a 1x1 transparent .gif file. That gif puts a cookie onto the Kenneth's machine with a unique ID. In addition, it saves the time, the uniqueID, the source domain and Kenneth's current IP into a database. As Kenneth browses the web, we accumulate more and more hits and are able to track his IP over time. We can know when his IP changes. No information other than source domain, IP, date and uniqueID are ever stored.
2. Collect RDNS and SPF failures from various mail servers.
Kenneth's computer has been compromised by hackers and is sending spam to thousands of servers claiming to be ebay.com. The mail servers recognize from ebay's NS record that ebay isn't hosted in Slovenia and therefore identify the mail as a SPF or RDNS failure and put it in a special mailbox for us to retrieve. Our servers download that mail and store the IP address and timestamp into a database.
3. Check the user against the Zombie DB
After many weeks of collecting data, Kenneth visits his favorite site and our servers identify him as being in the confirmed zombie database. Sorry Kenneth.
4. Get users to remove the virus/trojan (the hard part)
Rather than seeing his favorite site Kenneth is forwarded to a special page on AVG Anti-Spyware's website to download their free software and rid himself of trojans, virii and malware forever (or not). Upon successful download, AVG informs our servers and we temporarily remove Kenneth from our zombie database.
5. Rejoice as spam and DDOS attacks cease.
A large party is held during a monster truck rally at the Rosemont Horizon to celebrate the cessation of spam and DDOS attacks worldwide.