no ip forged-source-address

in cisco parlance,
ip verify unicast source reachable-via any allow-default allow-self-ping
would be fine in the core, and as a default setting.

Would still need to enable strict settings on applicable borders,
which would probably be skipped by the clue impaired, but
some of the crap would be caught, which is better than none.