2) uses an attack algorithm to distribute the load so you only see any given source IP every other day Yep. My list of "attacking IP's" was several thousand deep before I gave up.
Back when I used to analyze dialup spammers (well over a year ago) I felt that a large part of the spam problem could be traced back to just a handful of very prolific abusers. Some were "professionals", with 4 to 8 phone lines at home, others seemed to be mixing their home and work phone access. One(?) person laundered all his calls through 800-number accessible switchboards (hotels and resorts). I still think pursuing just these heavy hitters could pay off big for everyone. For a short time at least. If you want to try some simple analysis on your own: - once you have a spammer's userid and caller ID, pull every record for that userid and caller ID. This will give you several new userids and phone numbers. Pull all of those too, and keep repeating until nothing new pops out. Search all of your logs, for as far back as possible. Watch out for mixed case and trailing spaces. - every few iterations, use a round of reverse number lookups at anywho.com, and the address and name lookups at infospace.com to expand your phone numbers. - if any of the numbers trace back to businesses, knock off (wild card) the last one or two digits of the phone numbers and search again. - Google any distinctive (personal?) userids. (obNanog: I doubt many other groups' members have access to the needed records)