we've started to check a sampling of SURBL name server queries against sbl and xbl.spamhaus.org.
Jeff,
For months now, I've been converting domains within messages to IP address and checking these (along with raw IP addresses) against "sbl-xbl.spamhaus.org". This was a final stage of filtering where almost all spam had already been caught. This way, I could audit these and not have a mountain of spam messages to audit.
From all of the "hands on" analysis that I've done, I have some suggestions.
1st, if you are converting domains to IPs and then checking these IPs against spamhaus, you may have to make sure your system can whitelist the domains **before** conversion to IP since the IPs can change without notice.
2nd, SpamHaus keeps listing the following: msn.click-url.com, (& variations) (These show up FREQUENTLY in hams, so I'd Whitelist these up front. They seem to go in an out of SpamHaus intermittently.) FOR EXAMPLE: msn.click-url.com = 216.39.69.75 http://www.spamhaus.org/query/bl?ip=216.39.69.75 ...points to... http://www.spamhaus.org/sbl/sbl.lasso?query=SBL20705
3rd, in fact, SpamHaus is going to list a lot of greymarketers that shouldn't be listed in SURBL (flowgo, euniverse, etc)
4th, most of the FPs I find in SpamHaus are XBL listings where the data source for that particular FP was http://cbl.abuseat.org/
CBL catches a LOT of spam... but it also periodically will list the mailserver for respected IPS where that ISP had one user who send out a bunch of spam and then CBL listed the IP address of that server. Unfortunately, this creates a lot of collateral damage. Recently, I experienced this with one of my clients's customer's BellSouth E-mail services. (I don't know the ratio of XBL stuff via CBL versus XBL stuff from other sources. I'd be curious to know this.)
Jeff, very likely, (I have a feeling) I've misunderstood your original intended use of SpamHaus? But maybe this information will be helpful anyway? I would definitely recommend NOT using the strategy I've described as an **automatic** way to get listed in SURBL. This would defeat MOST of the hard work we've done to minimize FPs. But, on the other hand, there are many great possibilities here for using this as a tool for evaluating URIs or as a honeypot for queuing URIs for evaluation where the URI wasn't already in SURBL.
Rob McEwen