Techniques described and suggested herein include systems and methods for identifying potential sources of infections of devices by unauthorized code. In an embodiment, network traffic is logged. A plurality of computing devices that include unauthorized code is identified. The logged traffic is used to identify information sources accessed by the identified affected devices. The identified information sources may be refined. Refinement of the identified information sources may include excluding information sources that have been accessed by uninfected devices. A user interface that allows a user to further refine the identified information sources may be provided.