In the past I had been looking for some way to use a dnsbl instead of those files, thus removing them from memory, but unfortunately it isn't possible since mod_sec basically has to lookup every single domain in both lists against an url in the request, and this can't be done using adnsbl.
Actually, we added in that capability into this weekends updates. We'll be pushing that this week. The first DNSBL to be supported is urirbl.com.
And the spam parallel search blocklists will be forked into their own ruleset this week too, so if you dont want to use them you can just disable the entire set. Keep in mind that the parallel search blocklists will always be faster than any DNS lookup and memory is cheap. So always use a cached option over a network lookup options if you can.
All DNSBLs implementations (spamassassin, etc.) suffer from DNS performance and throughput bottlenecks. A DNS lookup will always be much slower than an in memory lookup. Speed of the DNS lookup will be dependent on your DNS servers location and performance (how fast it replies to a query), how fast it asks for information from the authoritative server(s), and of course how quickly the RBL operators system replies.
Therefore, as always, if you use an RBL keep in mind the DNS performance penalty. And make sure you have a fast local DNS server, and if possible a mirror of the zone locally.
These rules will be disabled by default.
We are also working on an RBL for all the malware and spam domains in our blocklists. In our case though we will likely bundle an rbldnsd setup to host the zones locally so you can do rapid lookups on your own system (although not as fast as the current parallel lookup system, theres nothing we can do about that as a network stack is always slower than memory on the system).