I'm seeing a new spam varient that is clearly designed to get past SURBL. It is an HTML message that contains many (50~100) 'invisible' links; links that have no target text, just: <A href="http://garbage.sitename.tld"></A>
The intention is clear, they want to fill up the 20 'slots' of the spamcop_uri_limit with their junk links so the real "payload" URL can slip past unchecked. That's playing a statistical game, there's a 1 in 20 chance of the "payload" getting picked by the randomizer but that means that 95% slip by.
To add insult to injury, they're tossing in random "\r" (ASCII-CR) characters into the "payload" hostname to try to break spamassasin's URI parsing.
Is it time to create rules to penalize large numbers of 'invisible' links?
The one thing that has me worried is that people may just start cranking up the spamcop_uri_limit value to do a brute-force response to this trash (or have a simple-minded client that doesn't have that kind of limit). This will add an ever-increasing load on the SURBL dns servers. I'm already seeing a steady-state average of 130 queries/second against my two servers (with spikes in the 150~175) range. The trend has been a steady increase (passed the 100 Q/S mark last fall).