It seems that the spammers' messages had generated thousands of invalid address messages, recipient autoreplies and responses from junk-mail checkers requesting validation of the sender's identity. Many companies don't have a catch-all e-mail address to avoid these types of replies--but it's a necessity in our business, so we don't have a choice.
Bucky and his crew checked the headers of many of the messages. Some of the bounces included the original message with the return message, but the spammers were using forged IP addresses, so it was difficult to track the messages' origin. The messages did include "unsubscribe" links, but they went to a throwaway e-mail address from one of the free public services. The penny stocks existed--we called some of the firms involved, but of course, they disavowed any knowledge of the scam.
In our view, there was more to the situation than just dealing with annoying e-mail messages--it was akin to the identify theft of our company name. Bucky called a few cybercrime contacts, but their response was not swift.
Our first action was to install a lengthy content filter for our catch-all e-mailbox. This filter automatically deletes e-mail with subject lines that contain certain keywords, such as auto, block, confirm, delivery, error, fail, nondelivery, problem, reject, return, undeliverable and unknown. We even added an international flavor to the filter, including terms like falshe, filtro and zustellungsfehler (don't ask me exactly what those mean, but you get the idea). We still get a ton of bounces and replies to spoofers, but the content filter pushes them aside. Ignorance is bliss.