They unfortunately use both domain and ip based reputation scores. The problem is there are effectively an infinite number of usable domains. Even after eliminating the sub-domain problem the fact is there are simply too many possible domain names that can be created and discarded on the fly for less than $5 a pop. Given the fact that bad reputation decays, they can simply rinse a repeat that process practically forever so long as they manage to make more than $5 per hour from thier spam. IPv4 addresses however, are far more scarce which is why most spam email opperations try to take over existing legitimate small email servers (commonly small businesses with thier own domain get targeted) in order to send out thier spam. Every time they succeed they use it not only to send spam emails, but Trojan viruses to all users contacts in the hope of infecting other businesses. They can even achieve this without infecting the server itself, but simply getting recipients to unknowingly run a script that tells Outlook to send the emails from whatever addresses the users has access to.