These are some of the thoughts I had recently about phishing blacklists which is going to play a major role against phishing in the near future.

1. False reports can be submitted by phishers and pranksters.  To prevent this, anonymous reports should not be allowed.  Unfortunately, the user is not likely to be logged in when a report is made.  Solution is to queue the report until the reporting user successfully logs in.  Once the user is identified and associated with the report, filters and weights can be applied to rate the report.

   Queueing reports with client-software is no problem.  For server-side only, file the report under a cookie which can be claimed when the user logs in.  Unclaimed reports are removed after a time limit.
    

2. Maintenance, particularly the removal of entries, will be a big headache as domains are reused and websites are cleaned up.  Current maintainers are not equipped to handle this properly IMHO.
    
3. Companies should also be able to prevent some domain names from being reused independent of domain name registrars.  Ultimately, domain name registrars and blacklist maintainers will have to work things out.  This will likely lead to registrars taking over maintenance of blacklists and extending the service to provide 'howis', 'whatis', and 'whereis' information as well as 'whois'.
    
4. Beyond correlating reports, suspected URLs can be crawled to a) see if it is indeed a phishing site, b) warn the phisher into running and thus abandoning the phishing site, and possibly c) spoofback bogus information.