I think it might be worth having 2 XBL tests, a high scoring test on last-external and a lower-scoring test that goes back through the untrusted headers.
I understand that Spamhaus doesn't recommend this, because dynamic IP addresses can be reassigned from a spambot to another user, but I added my own rule it does seem to work. In my mail it hits about 9% of my spam, with zero false-positives. I suspect that part of this is down to UK dynamic addresses being very sticky, but I ran my mailing lists through SA for a few weeks and got 3 FPs out of ~2400. I think it's probably worth a point or so, and essentially it's free - all of the zen lookups get done for SBL.
