Yes I understand you completely - and I still say leave it blocked. If someone is running a server on a dynamic IP then they should really be using dyndns or similar so instead of giving out URL's like http://123.123.12.1 or similar they could give people a URL like http://dynamicexample.dyndns.org which also would not have the disadvantage of having to tell people a different URL every time their IP changes. Anyone simply using an IP in a link on a dynamic IP needs to learn how to do it properly. I don't see why WE (email admins etc) should make allowances for the uninformed.
If you are saying this, then you don't need a list. Just use the __KAM_IPHTTP rule below as a standalone rule with a score of your choice. No need for an RBL.
#RECENT RASH OF VIRII/TROJAN PAYLOADS USING GREETING CARD NOTICES - IPHTTP IDEA BY STEPHEN FORD body __KAM_CARD1 /(worshipper|friend|Neighbou?r|partner|mate|colleague|member|worshipper|cousin|pal|brother|friend|father|daughter|son|nephew)((.{0,35}))? has (sent you|created) (?:an|a)?\s*(?:funny|love|post|greeting|birthday|animated|musical|holiday|love|e)\s*(e|post)?-?card/i body __KAM_CARD2 /enjoy your awesome card|Click on your .{0,15}card('s)? (link|direct www address) below|To see your custom .{0,15}card, simply click on the (link below|following)|(as you can see on the ecard)/i body __KAM_CARD3 /I['`]m in hurry, but i still love you.../i
body __KAM_IPHTTP /https?://\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3}/i
describe KAM_CARD Trojan or Virus Payload from fake ecard notice score KAM_CARD 4.5 meta KAM_CARD (__KAM_CARD1 + __KAM_CARD2 + __KAM_CARD3 + __KAM_IPHTTP >= 3)
Regards, KAM