Tracking the bad guys

Eric Brunner-Williams is slightly incorrect

that happens.

Whois records

if you read my note, the only whois data of interest is the registrar and
the ns providers (and their ns providers). other data of interest originates
from rir public rwhois servers.

Meanwhile ... the miscreant's IP address ...

this instance was interesting in its unsophistication. from a related

  The insertion network is is single address [].
  The subscriber network is is single property [paxil-medication].

  More generally, multiple robo-hosts comprise the insertion network
  (attack side), trailing, but following the same technical trajectory
  as SMTP spam, and multiple URL payloads (benefit side), and commit
  only a few ad inserts in any discrete attack over a larger range of

I'd recommend that Eric check's whois phone numbers,

that was the one useful item you wrote. core-50 may have a problem, and it
may be the case that the core-srs whois server may have a problem. thanks
for the data point.

incidently, in addition to post-detection persistent blocking, temporal
approaches (interstitical gap management) for a single attack address are
available, and a nanog reader has mentioned an implementation of a baysean
approache in private mail.