I just read in eWeek about yet another technique to find suspicious sites. The principle is surprisingly simple:
1) Take N virtual machines, running Windows XP with various degrees of un-patched security holes. These machines will serve as a honeypots for potential spyware.
2) Each machine (called a monkey) will randomly visit a random site from the internet.
3) Use automatic software to detect any infections and report them.
4) Repeat as needed.
More technical details are in this PDF on the Microsoft Research site.
P.S. I guess that the next step for spyware site maintainers would be to “detect” when the patrol is coming, and resume to an unsuspicious activity. Assuming that you know a way to identify the patrol, as for example, any IP addresses that are bought by these Microsoft researches. But then the researches will switch to unsuspicious IP addresses, and so on and so forth…