The last time I was hit by a not-recognized phishing campaign, no Ips nor domains were present in RBL. When I took action one hour later I found that several of them were listed.
So my idea is; is it possible to replay the queries one/two hours later? I envision two methods: - logging the queries, with Message-ids - storing a copy of the message If the second run hits new RBL, report to me, to take action. Hope I was clear...