I see evidence of this. Here's a plot of the spam I've received over the past few years:<p><a href="http://www.solipsys.co.uk/images/SpamByMonth.png" rel="nofollow">http://www.solipsys.co.uk/images/SpamByMonth.png</a>
The problem with sending a message to people telling them they're infected isn't that it's unethical, it's that they'll just think it's some trojan trying to get access and close the window.
Why would the criminals put the command & control servers all in one place? Shouldn't they have backups elsewhere which will enable them to repudiate the seized servers and retain control of the bots?