Looks good. Did not see the heuristic details documented, but one thing I would definitely suggest adding is spamhaus lookups on the resolved www and base domain and on the domain NS records. I find that a strong correlator of spam, though of course no source is perfect. For example:
antispam: [198]% ns savingzplus.biz Server: localhost.freeapp.net Address: 127.0.0.1
Name: savingzplus.biz Address: 219.147.198.131
antispam: [199]% ns www.savingzplus.biz Server: localhost.freeapp.net Address: 127.0.0.1
Name: www.savingzplus.biz Address: 219.147.198.131
(where ns is nslookup)
antispam: [202]% dig 131.198.147.219.sbl-xbl.spamhaus.org a
; <<>> DiG 8.3 <<>> 131.198.147.219.sbl-xbl.spamhaus.org a ;; res options: init recurs defnam dnsrch ;; got answer:
;; ->>>HEADER<<- opcode: QUERY, status: NOERROR, id: 20797
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 14 ;; QUERY SECTION: ;; 131.198.147.219.sbl-xbl.spamhaus.org, type = A, class = IN
;; ANSWER SECTION: 131.198.147.219.sbl-xbl.spamhaus.org. 1h59m53s IN A 127.0.0.2
Bingo! Probably a bad guy.
Jeff C.