At Daniel Quinlan's suggestion, we've started to check a sampling of SURBL name server queries against sbl and xbl.spamhaus.org. His interest is as a potential replacement for the very time consuming NS record lookups done with uridnsbl.
We haven't turned these into a SURBL yet, but probably will eventually. So far this has resulted in about 11k SBL domains with about 60% overlap with existing SURBLs. The fun thing is that this catches at a very early stage spams from scumbags like "Media Dreamland" that has been spamming free computer monitors, etc. lately. Some of these type of operations that reuse the same name server IPs, but register and change domains frequently are caught this way, just like uridnsbl does, but with perhaps a few missed due to sampling effects on the DNS queries. This method also features a much lower global DNS overhead since the lookups are done once in a centralized way, and not repeatedly in a gazillion SpamAssassin installations on the same domains in a very distributed and redundant way.
The way this works is that we sample DNS queries from SURBL lookups and compare new wild domains (i.e. domains found in general email URIs), against xbl and sbl and build up lists of the matches. (To be more correct, it's the wild domain name server "NS" record resolved ip addresses which are checked against sbl and xbl.) Along with this will need to be expiration runs, which I haven't built yet. (In other words, domains should come off the lists when they no longer resolve or no longer resolve to name servers in sbl or xbl.)
The main downside is that domains matching name servers listed in sbl or xbl definitely has more false positives than our other SURBL lists. We'll want to do some testing, but it may be as high as 1%, so they'd need to be used carefully.
Some perhaps other interesting stats after about two weeks:
unique queries logged so far about 250k (These are reduced to base domains where easy) SBL matches so far about 11k XBL matches so far about 400
SBL are checked for NS records only XBL are checked for NS, www, base domain against XBL (but not MX)
Questions? Comments? Suggestions?
Jeff C. -- "If it appears in hams, then don't list it."