Brian, agreed. If you scrub against that list of domains and IP addresses you will probably see small numbers. But I suspect there are way more IP addresses that are not listed (and domains). It is common practice for bad guys to shut down IPs and domains regularly once those are not making money for them, in order to avoid further analysis.

It would be interesting to analyze every unique domain and IP address that you see and look for things like the age of the domain, the fact that the domain is entirely alphanumeric, and spelling errors (like “Time Warner Cabel”) and other discrepancies (like the domain is not actually Time Warner Cable).