I agree, we definitely need SURBL black lists. They have helped tremendously against spam! I just feel that it would be chasing one's tail a bit to try to catch phishing in SURBL.
People who do phishing are going to change their IP address (IP where the actual target/sucker is sent) frequently. They are also probably going to use random and ever changing computer IPs outside the US for obvious legal reasons. Maybe zombies even, who knows.
Any domain names in a phishing email code are most likely going to be legit domain names such as, ebay.com, bankofamerica,com, southtrustbank.com etc.. These are the domains visible to the target/sucker.
So it just seems to me that an antivirus program is better for detecting HTML code patter of these schemes rather than the IP address of the day/week that they would be sending from in South Korea, Russia or China, etc. There is a very simple ClamAV plugin that does this (see the SA Wiki). I am using it on my SA system and it does the job of sending it on to my next downstream systems marked as spam. I have more antivirus on downstream systems that will delete real viruses as well since I just use ClamAV for spam tagging for simplicity sake. (I don't want to put a ton of programs on the computer to call SA, such as Amavis-new, etc., so that is why I do this.)
And by the way: I REALLY appreciate your SURBL lists and hard work even if I think other tools supplement and help make your stuff even better.
My security principles include (but are not limited to):
Stop as much as possible at the outer perimeter (earlier the better)
Defense in depth
For us, the virus scanning happens before the Spam tests; early is good.
-- Herb Martin