Automated monitoring of CT logs for such patterns is likely to be productive, if you can get the bad domains flagged as hostile quickly enough.