It may be interesting to index the whois info on reply-to/links, to find multiple domains registered by a single company (or groups of companies...)
I'm persistently seeing a lot of spam (10+ messages/day) that seems to be from a single source - some domains share registration info & the message text has patterns.
The problem is, they use a nested structure: a disposable first layer, and second layer for privacy.
(isn't that a Stephenson or Gibson idea, to have an AI setup & constantly modify the structure of deeply nested corporations for hiding/privacy/early-warning/deniability? - If someone calls you, you say -- I'm only a consultant for the board of Corporation 123...)
The mail is sent from random(?) servers
The text usually includes a postal address, and "This is an advertisement" (if their opt-out link worked, they would almost be can-spam compliant...)
Links/images contain giant tracking IDs (88 characters)
domain of the link forwarders & ReplyTo address is random
There is no website at the domain root (only 404)
Is always registered to one of several PO boxes (in Nevada)
Is it possible to just ask for a PO box owner's name (over the phone?), since it is being used for business purposes?
Contact email is at another "parent" domain
The parent domains have whois privacy turned on
The parent domains host a dummy website - they are all identical (and non-functional), except for the name and background image.
The parent site is distributed: DNS, mail & webhost (possibly Cloudflare protected) are different providers and not directly linked to sending spam mail or links in the spam
Some of the frontpage text: (search shows 20-30 sites with this text)
Results driven digital advertising
Working with us guarantees the best pairing between our clientsโ ads and advertising channels. Our easy match traffic solutions target user segments and preferences generating top campaigns for each offer we contract. We use innovative algorithms to provide the best match between our partnerโs campaigns and our user base allowing us to funnel ads based solely on user interests and platform use.
They advertise a lot of scummy looking websites that are likely just phishing for bank info - but also some less(?) scummy big names: Warby Parker, The Farmer's Dog, Audiobooks.com, Liberty Mutual, Quicken Loans, Harry's, Sono Bello
--some parent domains
baremindsupport.com
lotusvisionllc.com
officewireconnection.com
shiftstickinfo.com
--some child domains
www.rubypucker.com
www.blownorra.com
www.mahearth.com
www.azulcapus.com
www.randommang.com
scornjoops.com
litherink.com
shakilyboy.com
nosearth.com