What's in Your Spam-Fighting Arsenal?

Spamhunter asksL "Everyone has their favorite tools to stop spam at the inbox, whether it's using a scoring tool like SpamAssassin, bayesian filters, or something as extreme as challenge/response whitelists (which creates a few problems itself). What I'd like to know is, what are your tools for actively investigating and shutting down spammers? I've found information sites like SPEWS and Spamhaus to be invaluable in tracking down spam gangs and spam-friendly ISP's in order to put pressure where it belongs. Sometimes just chasing the chain of ownership in WHOIS is helpful. What tools, approaches, and resources do you find helpful?"

My tools are simple

[Motherfucking+Shit]

Looks like most responses so far aren't addressing the real question - what you use to seek and destroy - and instead are mentioning what they use to avoid spam in the first place. All well and good, but since there aren't many answers to the question at hand, I might as well post mine.

I generally stick with the basics, whois and traceroute getting the most use. I rarely whois the spamvertised domain itself, unless I'm trying to determine the registrar or its DNS provider... But whois gets a lot of masked use, thanks to the following aliases (bash2, freebsd):

alias apnic='whois -h whois.apnic.net'
alias arin='whois -h whois.arin.net'
alias ripe='whois -h whois.ripe.net'

So, suppose I get spam with an originating IP of 1.2.3.4, I just grab a shell and type

[speaker@candletruq]$ arin 1.2.3.4

If ARIN refers me to RIPE or APNIC, I use the `arin` or `apnic` commands, respectively. Within a couple of seconds, I know which ISP was abused to send the spam, as well as (usually) some administrative contact for that provider. A few more seconds and I have the same information about whichever ISP is hosting the spamvertarget. If you find yourself constantly typing out...

whois -h whois.arin.net 1.2.3.4

...or the appropriate flags to your flavor of whois, setting aliases to point to ARIN/RIPE/APNIC's servers can be a huge timesaver.

A script I wrote some time ago, called ANAL - get your mind outta the gutter, it stands for Auto NANAS and Lart - takes care of the rest. I paste in the spam, headers and all; then if I'm bothering to report it, I'll also enter in some abuse contacts for the origin/target ISPs. I post the form, the script posts a copy of the spam to the Usenet newsgroup news.admin.net-abuse.sightings, and also sends abuse reports to any email addresses I specified.

Not necessarily trying to plug myself, but if you've got PHP installed, check out ANAL. You can report spam to the ISP, and also archive a copy in Google Groups (which can help in future spam cases against the same spammer or spam-friendly ISP) at the same time.

Yes, I actually named one of my machines candletruq.