It depends. Back in the days when I was dealing with hundreds of spammers and attackers as a security officer I have even seen people ending up in the jail. But again, it will depend on the ISP / Enterprise, the local laws - California may be different than, let's say, Arizona, though they are neighbors, and especially the way you report the attacks / spam messages. Both Spamcop.net and Spamhaus.org do a pretty good job in providing cooperation to network / abuse admins through automated mail systems. There's a risk, however - some or all of the IP addresses may be indeed legitimate, but the attack itself deploys forged addresses injected directly into TCP packets.
Nevertheless, all spam messages fall under the
CAN SPAM ACT 2003.
As for the SSHD attacks, you may consider
those general advises, deploy
sshdfilter or implement
SSHBL.
HTH.