Not a white list as you'd think of it, more like this:
Your ISP routes all traffic coming out of your computer (more specifically, your connection), and it knows your IP address and also any email accounts you've established with their mail server. All IP packets are tagged with the sending as well as the receiving IP address, and all SMTP traffic contains headers identifying the sender of the email (the "From" address).
If your ISP detects outgoing packets whose sender IP doesn't match the IP in the routing table, they get black holed and disappear. If the quantity of bad packets exceeds an established threshold, it triggers an email to your registered account. If it continues to occur, it locks your access so that any attempt to open an Internet address redirects to a page telling you that an infection was detected and giving instructions to reactivate your account. This process would be human-supervised.
Email is trickier. Most bots these days use their own built-in SMTP handler. So, the ISP's goal is to read the headers of all outgoing SMTP packets. If the From address is missing or does not match an email address registered to the ISP account, it is flagged as suspicious. The behavior at that point would depend on a number of factors, possibly including screening the email through a spam filter to see if it triggers a match, or if it contains suspicious attachments, etc - basically the same process ISP use to filter incoming mail. A sufficient accumulation of matches triggers a human alert that can ultimately lock down the account in the same manner as above.
A similar process could be applied to web servers hosted by the ISP user, or if the user is running a private mail host. Many users do run their own hosts/websites, but the ISP could require them to whitelist by submitting an electronic application, basically saying, "Yes, this is my private web server and not a bot." Ideally, this process would require authentication so a bot couldn't simply spoof it.
This would work for two reasons: first, the average non-technical user doesn't host their own websites or mail servers, so there's no reason for them to ever run afoul of the policy unless they get infected. Second, those users who are savvy enough to roll their own servers should be aware of and able to intelligently comply with their ISP's policy.
Webmail complicates this somewhat, unfortunately, and has indeed become increasingly used by hackers for this very reason: some ISPs are getting canny about restricting bot-generated outgoing mail.