Nathan Barham wrote:

I received a phishing scam yesterday where the domain part of the evil link was in html hex code. This seems to defeat any SURBL listing. I'm using a postfix body check to handle it now, but does anyone have a better idea?

It could be worse. They could be using javascript to factor a given product of large primes, and then using the factors to build the IP address.