Disclaimer: I am a lawyer, and I am also in IT administration at a public university.
ASU may or may not have such rights. Public universities occupy a broad role, in that they are generally considered agents of the government, and as such are subject to all of the legal issues that entails, including 1st amendment issues.
Also, public universities *are* ISPs. They are not traditional commercial ISPs, but most provide network access for a large group of residents, and provide other network services for incredibly diverse groups at a level that puts most commercial ISPs to shame. That access is not always solely for school use. To pretend otherwise is to argue from a position of absurdity.
Universities certainly have the right and responsibility to ensure the security and stability of their networks. However, they also have the responsibility to do so in the least restrictive manner possible. In the public case, this is partially to ensure that protected rights are not infringed. However, it is crucial to remember that universities are places for growth, learning, and research. As any network blocking puts that mission in jeopardy (you can't possibly be aware of every research project, and you can't effectively guarantee that your block doesn't harm your core mission), the proper course here would have been for the firewall or mail admins to temporarily block messages from the offending servers in order to maintain service availability.
While I don't claim that my employer should be upheld as the great example for IT policy (far from it, in many ways), I do believe that the current firewall policy is in the best traditions of academia. For most VLANs, the firewall blocks only the most commonly exploitable ports (Windows file sharing is the only example I can recall off the top of my head.) If a particular machine on the network causes issues (primarily botnets, DMCA notices, other viruses/trojans), that port is shut down with an email notice to IT security staff across the University. Once the problem is remedied, the port can be reactivated by the IT personnel investigating the incident.
Floods to particular services, including spam, are handled at the service level, never by a blanket firewalling of an external IP. Our mail gateways/scanners are sufficient to handle this type of problem on their own, and our student population is about half of ASU's. If their systems can't handle a single spam source, they need to check their budget or their strategic planning.
Comparing this to an employer blocking a website for its employees is comparing apples and lead bricks. Most people on campus are not employees, and for many ASU is furnishing the only network connection they have. Moreover, as mentioned above, openness is core to the values of a University. Blocking twitter at my law firm was no big deal. Block it at my University and we've got problems, because there are people doing valuable research with that data.