Botnets are actually just about peaking. Consumers are, increasingly, locking down their machines (though prompted by more visible infections of more overt viruses and spyware), and newer computers and operating systems have had firewall capabilities and the like shipping with them and enabled by default for a while. As older, infected machines are replaced botnets will start weakening. Common malicious outbound traffic patterns might become targets for filtering by ISPs (hopefully without impacting user-desired traffic, such as p2p, but we know how likely the ISPs are to disrupt that intentionally and then blame it on spam filtering...) and e-mail itself might be superseded by a pseudonymous, sender-machine-address-authenticated form of mail.

Or we might simply see a rise in webmails and forwarding services that will do something like this:

Alice sends Bob an email, to his address at Gmail or a forwarding service or whatever. The service has no record of Alice as one of Bob's contacts, and as a result, the message isn't simply sent on for Bob to read yet. Instead, an autoreply is sent to Alice that directs her to the service's Web site. Once there she encounters a captcha. If she proves she's human, the message is released from quarantine and future messages from Alice to Bob encounter no obstacles. Unless of course Bob tells the service to block Alice or put her back on "probation".

This requires some way to identify Alice, so the system would require the captcha authentication for every message with any irregularity in the Received: header fields or no reverse lookup on the source IP. Otherwise, after one message is allowed through, future messages coming from the same IP sharing the same From: are passed through.

The effects on spam are as follows:
1. Spam sent directly from a consumer broadband address, generally from bot-infected PCs, produces a reply email that probably bounces (the errors-to or whatever address is phony), and nobody shows up and passes the captcha within the requisite time (say, one week). After a few such failures from the same source IP, it's blanket-blocked by the forwarding service and the spam doesn't even cost that service much anymore. None of it reaches a potential buyer/scam-victim/whatever.
Some of this spam may also be blocked by an ISP blocking outbound traffic whose destination port is 25 and source IP is a customer's machine (regardless of source port).

2. Spam sent via an ISP's mail exchange gateway is susceptible to being blocked readily by the ISP, which can terminate accounts misused to send spam through its gateway in the traditional manner. "Spamhaus" ISPs (ISPs that let users spam with impunity) get blacklisted as usual on the wider 'net. The forwarding services and webmails block them entirely, or filter most of the spam with the captcha and the few where the spammer actually deigns to authenticate as a human get someone mad who then has that sender blocked from sending to them. If too many combinations of from and IP with the same IP are blocked or captcha'd the ISP may be told to shape up or be blanket-blocked altogether.

Notice that none of the above depends in any way, shape, or form on filtering (bayesian or otherwise) that might produce false positives. The only "false positives" occur when people send mail but either use a bogus reply-to or don't bother to verify they're human the one time. The mail can't have been that important, then, can it?

(For the record, mail sent to report spam using "abuse.net" did an authentication thing like this for a long time, and perhaps still does. It didn't use a captcha; it just authenticated that the message had a valid reply-to before whitelisting that sender from then on. Otherwise the service could have been abused to spam sysadmins. Adding a captcha makes it even more robust.)