[paulmd]

It's really hard to track down the perpetrator unless they make a mistake. Even if you tracked the perpetrator down, there is a very good chance they are in Eastern Europe or some other country/region that will not prosecute or extradite them.

So basically it's almost certainly a waste of time for law enforcement and they mostly don't bother. If they did, we would see command/control moved inside Tor and it would become even more difficult to track (AFAIK this already happens in the more sophisticated botnets).

The appropriate analogy is probably something like fake check scams. Illegal, but difficult to trace and likely to lead to a dead end.

[no_protocol]

> The appropriate analogy is probably something like fake check scams. Illegal, but difficult to trace and likely to lead to a dead end.

Oops, I actually jumped topics for the final paragraph and was making an analogy about scanners trying random passwords on a known port, or similar.

[paulmd]

Well - and this goes for ransomware too - if you are smart then you aren't doing the portscanning or mailing from your personal PC. It's coming from compromised PCs or IoT devices in a botnet. So tracking down the perpetrator still involves finding the well-concealed owner of a botnet.

As a mitigation strategy you can certainly perform filtering and rate-limiting at a firewall, or even blacklisting certain IPs. I'm pretty sure there are already collectively-maintained blacklists of badly-behaved machines/devices. But you're really just taking some compromised PCs off the net, not going after the perpetrator.