I asked around on John's behalf. What I heard back wasn't overly encouraging. The answers I got ranged from colorful variations on "too bad, welcome to the Internets" (I'd never heard the acronym "BOHICA" before) to "implement complicated technical solutions that kind of help, but not really."
The short answer here is that you don't have a ton of options other than just putting up with it. If the level rises to the point where it'd be appropriate for you to bring lawyers into the fray, I'd recommend finding a savvy internet consultant or anti-spam group to help you track down the offenders. I'm sure the spam is coming from hosts all around the Internet and I doubt that they correctly indicate who the sender is (both are clear violations of the US CAN-SPAM law). Spamhaus, the anti-spam group most well known, is especially adept at this type of thing. I don't know if they consult for folks in your situation, but it's worth investigating. Their website is at www.spamhaus.org.
In the realm of a technical solution, BATV (Bounce Address Tag Validation -- see http://mipassoc.org/batv/) is a process that a mail server can employ to help determine good bounces from bad.
Matt Sergeant of email security and management service provider MessageLabs was kind enough to explain to me how it works. Here's what he had to say:
Instead of sending MAIL FROM:
It's very effective, but breaks any remote end system that keys off the MAIL FROM address (and there are lots of such systems, making a roll out on a large and diverse system problematic). Very effective on systems you have lots of control over though.
If that sounds a bit technical, that's because it is. It also doesn't stop the bad guys from doing what they're doing, it just helps you filter out the bounces more easily.
SpamAssassin offers a "Virus Bounce Toolset" which is supposed to help in a similar fashion.
Eventually, email authentication technologies like SPF (Sender Policy Framework) and DK (DomainKeys) could help with stuff like this. If you publish an SPF record, you're telling the world that your mail only comes from a certain set of IP addresses. The spammer's mail would not be coming from those specified IP addresses, and receiving ISPs could filter or reject the mail based on this fact. Look for this in the future, but it's not widely deployed or enforced currently.