Supposedly if you put a newly installed, unpatched Windows box on the 'net, with an Outlook address book full of fresh spamtrap addresses, you'll start getting spam to those addresses in something like 3 hours.
And if you buy a recently expired domain name and set up an SMTP server for it, then you will receive incoming email for quite a long period of time. Each one of those messages will have valid From and CC email addresses that you could collect. In order to truly secure the net against spammers we would need to secure both the email system and the DNS system. I use the word "system" in the context of General Systems Theory, to refer to everything connected with the transport of email across the Internet including the users, their interfaces, the MUAs, the MTAs and the protocols. Similarly for DNS, I include things like the domain name registries and registrars and their policies. Bandaid fixes only buy time, they don't fix the problem. --Michael Dillon P.S. ASRG is a good idea because it is systematically collecting and validating a lot of what we know about spam to make it easier for decision makers to understand the issues. http://www.irtf.org/asrg/