Re: Where to start...
> All that remains are compromised computers that rapidly come and go.
Not as short-term as you might think. There's persistent offenders and ISPs that fail to do anything. Also noting the great firewall of China stops precisely fck-all spam.
>> if you find that it's the NAT router of some large ISP
Again the ISPs failing to do anything because a regular (i.e. non-business line) user sending mail only needs port 25 to the ISP's relay and not outside that network and sending via an external server is already an old 'standard' on port 587 and authenticated (and not the ISPs problem).
And yet the vast majority of what I get (and I include failed attempts that 'spam stats ignore) is from non-business dynamic IPs and a large proportion of that is relay attempts and not actual spam to me, with frequent batches of 'auth login' attempts.
+/- disclaimer, anecdote != data :p