Here is how I am taking on the free-stuff attackers:

1) detect another source domain

2) look up the IP address on ipinfo.io to get the abuse reporting address

3) Copy and paste to quickly create an email to the abuse reporting address

Subject: Abuse from client <domain> on <ipaddress>

Body:

You have a client that is part of a world-wide attack system, using fraudulent offers of free stuff from well-known brands.   The attacker is smart enough to use locally-relevant brand names.   We  have blocked tousands of these attacks from many different sources, so I suspect a nation-state actor.   Now you have become part of the problem as well.

The message is thoroughly authenticated to the attack domain, producing SPF PASS, DKIM PASS, and DMARC PASS.   The Helo name is also verifiable with forward-confirmed DNS.  Unfortunately, they have many attack domains at their disposal, so domain reputation is unknown.

Message headers appear below my signature

<signature>

<Message headers, after removing headers inserted by my filtering software>

4) Send the message

It only takes a minute, and it gives the bad guys one less hosting service to exploit.   Hopefully it causes the hosting services to vet their clients more carefully.