"The older a domain is the less likely it should be listed. Most spam domains are used for 3 days then abandoned. Domains older than 90 days probably should not be added. A domain more than a few years old usually should not be added."
I would say, domains older than 90 days probably should not be added *unless* they use a blacklisted nameserver.
You really have to look at both the name servers and the date, in that order.
I want to give you some data on domain age for my recent blacklistings (last two weeks):
year count 2004 4165 2003 582 2002 30 2001 6 2000 3 <=1999 12 total: 4830
There is a significant percentage of domains registered in 2003, but most of these still fall within one year of the listing. There are extremely few blacklistings for domains registered before 2003, about 1% of the total. Most of the 1999 ones are porn sites using a NS by wildrhino.com, plus one each by vendaregroup.com, webfinity.net, allproactive.com, rackhosters.com, all notorious spamhouses with SBL listings. These domains are exceptions to the rule that old domains usually don't merit listing.
About 11% of blacklisted domains were registered within 3 days of detection, 18% within 7 days, 34% within 2 weeks.
Then it gets interesting: I have no records in the set for 13-24 days, then a whole bunch of pill spam domains registered at least 25 days ago. These guys seem to wait a little before they strike.
50% of all blacklisted domains are registered no more than 35 days before listing, 60% within two months, 66% within three months, 70% with four months. As you see, the incremental gain per extra month gets smaller and smaller. Six months cover 80%, 12 months 90%, 24 months 97%.
A few comments in addition to those numbers:
1) There's a very small set of hardcore spammer NSs for which I list *all* domains that use them, regardless of age.
2) For other domains with SBL-listed NS, I routinely list them *if* they are recently registered.
3) For domains with SBL-listed NS older than a few months, I list them if they fit a pattern. Most of these will be porn and gambling sites from usual suspects, i.e. I'll see lots and lots of domains all sharing the same NS, advertised in similar spam mails. These guys stick around, so it doesn't matter much if you don't list them immediately, before you see a pattern. You can still get them later.
4) I also list sites without SBL records on the NS if they are very recently registered (usually < 6 weeks) and they fit a pattern with regard to naming or what kind of spam subject lines / sender names are used. That takes care of discardable spam domains registered with Joker.com such as these:
californiapassword.info coloradopassword.info coloradovodka.info dc-user.info dcpassword.info floridaadmin.info georgiapass.info georgiauser.info hawaii-vodka.info idahouser.info iowavodka.info kentucky-password.info
5) Recently registered domains with a name server from the same domain are more suspicious than those using a different server, because it means the name server has no track record to check.
Joe