There are techniques that would minimize leakage of breaking campaigns but they would require some additional development on your part.

In general:

• Block connections using a dynamic black-list driven by SNF results. Content matches to cause a 15 minute black-list entry and truncate (20) matches to cause a 1 hour black-list entry.
• Use gray-listing during spam storms. Spam storms can be detected with SNF (storm sign) when you get the result code 40 or 63. This allows you to use aggressive measures such as gray-listing for short periods where they will help the most and keep them turned off the rest of the time to avoid false-positive or other support problems associated with those measures.
• Gauntlet -- When SNF + GBUdb reports that the confidence figure on the source IP is low then sequester the message for at least one hour -- then after that wait for the next rulebase update. Re-scan the message before delivering as if it were just arriving. This gives SNF and your other tests an opportunity to recognize completely new campaigns. Using the GBUdb confidence figure as a gateway mechanism to "the gauntlet" allows messages from well known IP sources to go through without any delay. The delay imposed by the gauntlet on messages from new sources is generally not recognized by end users because those messages are usually from completely new contacts.