Therefore I took a look at the IX’s blacklist project NiX Spam and downloaded a snapshot of the blacklist’s content (save, right click as… you’ve been warned!) which includes a maximum of 40.000 IP addresses. The plain text file comes with a timestamp and the blacklisted IP addresses.
After some more or less simple batch-processing I’ve had a file including all the relevant GeoIP information, the longitude and latitude values of each IP. What was missing was a method to display them in a graphical way, e.g. on a world map.

Couldn’t be Google Maps a solution with its well documented and comprehensive API? So I digged into the Google Maps API and after an hour I was able to change the batch-processing in a way to create the proper output for creating markers on a map, including the well-know tooltip balloons including IP address and timestamp after clicking on a marker.

First tests with a few dozens data sets went just fine, but in this very special moment right before crossing the finish line, my browser decided to stop working for a couple of minutes.
It turned out that 40.000 markers, combined with a tooltip, was way too much data to be handled by the browser. Navigating or zooming the map just wasn’t possible. Even after I’ve reduced the amount of data sets to 10.000 it was slow as hell.

Besides the performance issues it turned out that the visualization is almost useless because of the many overlapping markers as you can see on the left. Spammer mostly use botnets,  thousands of Zombie PCs, distributed all over the world.
Sure, it is possible to see areas with a much higher density than other regions, but these are also the regions where internet is accessible from almost everywhere. It’s easily explainable that there are less Spammers in the australian outback or South America’s jungle.

But each drawback has also its advantages. Besides the fact that I gained more knowledge of vim, sed and awk once more, it won’t be too hard to complete this.
With a slightly different approach, e.g. abandoning the longitude/latitude data and prefering the city’s name, it’d be possible to present shrinking or growing markers based on the amount of machines in a specific city. This would drastically reduce the amount of markers and is not that hard to implement.

sudo aptitude install geoip-bin

After installation you’re able to use geoiplookup from the command line:

user@server:~$ geoiplookup www.heise.de
GeoIP Country Edition: DE, Germany

But that’ll only show you the country of the server’s location. For more precise information MaxMind‘s LGPL version of their GeoIP database comes in handy. It’s being updated at the beginning of each month and available via this link (approx. 30 MB).

Simply download the archive, gunzip it and move it to the proper location:

gunzip GeoLiteCity.dat.gz
mv GeoLiteCity.dat /usr/share/GeoIP/GeoIPCity.dat

After that, geoiplookup returns more accurate location details on a city-level:

user@server:~$ geoiplookup www.heise.de
GeoIP Country Edition: DE, Germany
GeoIP City Edition, Rev 1: DE, 06, Hanover, (null), 52.366699, 9.716700, 0, 0
GeoIP City Edition, Rev 0: DE, 06, Hanover, (null), 52.366699, 9.716700

Tossing longitude and latitude to Google Maps it’ll show the location of the Heise Verlag’s office, although the servers are running in Frankfurt/Main 350 kilometers south of Hannover.

If you want to keep the information up to date you should create a small script, triggered by a cronjob running at 1:30am on the third day of each month.

The cronjob, assuming you define cronjobs via /etc/crontab:

30 1 3 * * root /root/scripts/update_geoip_db.sh

The “script”:

#!/bin/bash
 
wget -t 5 "http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz"
gunzip -f /root/scripts/GeoLiteCity.dat.gz
mv /root/scripts/GeoLiteCity.dat /usr/share/GeoIP/GeoIPCity.dat

On the console you usually won’t get more detailed information, because MaxMind doesn’t include all their knowledge in the LGPL version of their GeoIP databases. In case you need additional information you might want to use MaxMind’s freely accessible web-interface which uses some of the purchasable databases as its backend.

But don’t expect to get information on a district, street or even house number level. That’s simply not possible due to the common IP address block allocation and the fact that most of the information is gathered from whois data, which mostly doesn’t include the “end user’s” location rather than the ISP’s office address.