We are all already paying for it, botnets cost billions of dollar losses, guess who pays for that? This wouldn't be a heuristics AV. If someone's sending out packages to port 25 at full speed there isn't much room for false positives. The customer is called and he says, "yeah I know, I run a mail server" - case solved. You call the customer and he's like "SMTP what?" you tell them "you are infected, they are probably stealing your data, get help, you have a month, we can send someone at your cost, you can solve it yourself or we have to disconnect you if you ignore this". "Oh, I'm infected? I had no idea! Thank you for notifying me!" How would you do that?