If an ISP is involved with tracking down DDOS participants or
something, I can understand how they'd know a system was compromised.
But any kind of blocking because the ISP sees 'anomalous' traffic
seems .. premature at best. SANS newsbites has this bit:
On Thursday, October 8, Comcast began testing a service that alerts its
broadband subscribers with pop-ups if their computers appear to be
infected with malware. Among the indicative behaviors that trigger
alerts are spikes in overnight traffic, suggesting the machine has been
compromised and is being used to send spam.
When my son comes home from college, there's a huge spike in overnight
traffic from my house. With all the people advocating immediate
blocking of pwned systems in this thread, I'm wondering what their
criteria is for deciding that the system is compromised & should be
blocked.
Lee
Some info. here (from 
