is the case that such host is already known to be a phishing host ? but that does not mean phishing emails is sent from the botnet :(i think is it possible to check dns offline state (nxdomain) in spamassassin ?
reported to phishtank: https://phishtank.com/phish_detail.php?phish_id=6835533 https://phishtank.com/phish_detail.php?phish_id=6842063 https://phishtank.com/phish_detail.php?phish_id=6842067 same phishing attemts is report to google safebrowsing