It depends. Back in the days when I was dealing with hundreds of spammers and attackers as a security officer I have even seen people ending up in the jail. But again, it will depend on the ISP / Enterprise, the local laws - California may be different than, let's say, Arizona, though they are neighbors, and especially the way you report the attacks / spam messages. Both Spamcop.net and Spamhaus.org do a pretty good job in providing cooperation to network / abuse admins through automated mail systems. There's a risk, however - some or all of the IP addresses may be indeed legitimate, but the attack itself deploys forged addresses injected directly into TCP packets.
Nevertheless, all spam messages fall under the CAN SPAM ACT 2003.
As for the SSHD attacks, you may consider those general advises, deploy sshdfilter or implement SSHBL.
HTH.

Thank you!

In my experience it is very rare that anything consequential can be done about such attacks. This is because:

a) Usually executed behind offshore proxies
b) lack of political will

(unfortunately)

Well, If you see attacks originating from any machine, I'd block them.