.
If you open up the email payload and view the IP address of the source, open a DOS window and type in the nslookup xxx.xxx.xxx.xxx command, substitution the x's with the IP address. You'll find that around 70% of them are sourced from free or $1/mo Amazon AWS accounts.
Amazon is the #1 proliferator of spam emails.
The AWS apps that run, are started on virtual servers and will link to non-AWS URLs in the emails. If you do a whois on the domain names, most won't have their mandatory ICANN registry information filled out. You can report them to ICANN and if they don't add it in a month, that hostname will get taken down. AWS will also take them down, if reported. That requires you to sign up for an AWS account to report fraud. But if campaigns are taken down, they will pop up a few days later as another campaign.
Most of those addresses will be at one of those strip mall P.O. Box places. Get a bunch of them and report them to the PO Box company and they will pull their P.O. Box.
Hosting provider 1and1 is also the primary host for these domains too. While domain hosts say they can't control what their domain holders do, send a few of those emails to them and they will yank that client. Funny thing is... no one wants to be associated with scammers.
Save off all your scam emails, log the source IP, the hostname of it, the target URL and see if there is a commonality. Once you compile a bunch, go to AWS, go to the domain host, report them to ICANN and contact their post office provider. I've taken quite a few offline for long periods by hitting them on all fronts.
.