SpamAssasisn may check more than the specified levels. For example, it may check at levels two and three on GTLDs, or at least it did at one point.
Looking at some of the SA 3.1.1 debug output, SA's URIDNSBL will query only at level 3 for domains with a country code (e.g. .co.uk), and level 2 for other GTLDs (.com).
Examples:
[5180] dbg: uri: parsed uri found, http://www.hydeparkcalling.co.uk/ [5180] dbg: uri: parsed domain, hydeparkcalling.co.uk [5180] dbg: uridnsbl: domains to query: hydeparkcalling.co.uk
[6977] dbg: uri: parsed uri found, http://www.manage-performance.com [6977] dbg: uri: parsed domain, manage-performance.com [6977] dbg: uridnsbl: domains to query: manage-performance.com
So unless my understanding of SA's URIDNSBL is mistaken, and it certainly could be, we'll never catch any of the subdomains in SURBL. No big deal; someone probably is using some implementation of URI checking with SURBL that does.
If a subdomain is listed, the subdomain should be checked. It's not necessarily safe to check the base domain when a subdomain is listed. For example if phishing.freehost.com is blacklisted, checking freehost.com is probably not a good idea. I do realize this is somewhat off spec.
Thanks, this is what I was wondering.
Brandon