Eric Brunner-Williams is slightly incorrect
that happens.
Whois records
if you read my note, the only whois data of interest is the registrar and the ns providers (and their ns providers). other data of interest originates from rir public rwhois servers.
Meanwhile ... the miscreant's IP address ...
this instance was interesting in its unsophistication. from a related writing: The insertion network is is single address [151.42.235.185]. The subscriber network is is single property [paxil-medication]. More generally, multiple robo-hosts comprise the insertion network (attack side), trailing, but following the same technical trajectory as SMTP spam, and multiple URL payloads (benefit side), and commit only a few ad inserts in any discrete attack over a larger range of targets.
I'd recommend that Eric check nic-naa.net's whois phone numbers,
that was the one useful item you wrote. core-50 may have a problem, and it may be the case that the core-srs whois server may have a problem. thanks for the data point. incidently, in addition to post-detection persistent blocking, temporal approaches (interstitical gap management) for a single attack address are available, and a nanog reader has mentioned an implementation of a baysean approache in private mail. eric