but I *have* to do something, currently i risk bouncing perfectly valid mail originating from these IP blocks.
Did you mis-speak and really mean rejecting (at SMTP delivery time)? If not, why are you bouncing at all? Shame on you. Post delivery bounce systems are nearly as bad as spammers.
what would you say to counting the hops, then running notfirsthop tests on the SOCKS/PROXY rbl lists and then reducing the score with a meta rule, if there are more than 2 hops.
Don't bother counting hops and other garbage, just use notfirsthop for your systems and be done with it.
The "notfirsthop" setting isn't literally "not first hop" it's really "only check IPs dropping off at trusted servers", which should achieve what you desire.
I on the other hand, prefer the default, and IMO correct, behavior.
