First the easy version: click the ban symbol next to the spammer's domain on your stats/referers page, then click 'perform selected operations' after it takes you to your antispam page. Done! This is what most people do, and that's cool. Lots and lots of reports done 'by the book' help when it comes time to pick new keywords.
Some background info
Your reports either become or get added to a post in a blog. Reports start as drafts that antispam admins can publish to make them become keywords. We can also deprecate drafts that don't need to ever get published. Either way new reports are always added to the post. When we publish stuff we search the database for posts with the potential keyword to see which report will get published and which ones will get deprecated. Groovy eh? There are almost 100,000 posts in this blog right now, and we filter through it all to pick the best possible keywords.
Rules? Heck I dunno. Lots of reports, not likely to block good sites, lots of reports, looks like a URL, lots of reports, has punctuation before and after, and lots of reports. Something like that...
Let's say you get hit by 4 or 5 different subdomains from the same domain. porn.badsite.tld and drugs.badsite.tld and credit.badsite.tld and snorfle.badsite.tld and blahblah.badsite.tld for example. You could click the ban symbol then the perform button for each, or go to your antispam tab and type in .badsite.tld then click the perform button and get rid of them all at once. THAT would be the report that gets published because it does the maximum gain for each keyword.
Suppose badsite.tld isn't using subdomains? Maybe it's using badsite.tld/porn or maybe it's just using itself? Maybe it's actual URL is http://badsite.tld, but maybe it is http://www.badsite.tld? In either case the antispam page will ban and report badsite.tld, which leads us to another problem (and a more complex solution). This particular keyword will also block visitors from iamnotabadsite.tld. I know that's stretching things a bit but you get the idea: without leading punctuation the possibility exists to block a friendly site in addition to the bad site.
The solution, if you want to help us make effective keywords, is to do a mouseover on your stats/referer page to see if the URL has the www. part in it or not. Then when you click the ban symbol and get badsite.tld on your antispam page add either a dot or a pair of slashes in front of the URL. It'll catch the bad site as long as we've got the right leading punctuation. Alternatively you can do a mouseover and right-click then copy link location, go to your antispam tab and paste it into the box. That'll report the http:// part and the rest of the URL as well - including the file name if any. Publishing URLs with file names doesn't make sense because it only blocks that exact file name, so if you copy the link you'll also want to strip off anything after the tld.
In the end it's easiest to just ban and report eh?
Some things aren't worth reporting
Wild card characters are a waste of time! URLs don't contain *s, so don't bother using it as if it meant "anything". In other words *.badsite.tld will not block ANY spam.
The domain name without anything else. It doesn't have to be a word to not be unpublishable. For example there is a keyword "isgre.at". Some people reported just the domain name "isgre", which means "myblogisgreat.com" also gets banned. False positives are bad!
Unpunctuated words. You can ban and report them, but they won't turn into keywords no matter what the word is. There are quite a few of them in the official keyword list, but now the desire is to have punctuation before and after. Like -vioxx. or .vioxx. or .vioxx- or a / perhaps. Two reasons, one of which is preventing false positives. The other is version 1.6 because it now scans comment text for matches to the keyword list. We don't want to block an innocent comment right? BTW that's why a full sentence just got published. It is the entire text from a spammer that didn't include a URL. Folks using .9.1 or an older version won't get any gain from that, but anyone using 1.6 will see that particular spammer stopped cold.
The software could do lots of different stuff differently, but it doesn't. The whole idea here is to let people know what they can do given the antispam system we have. There are HUNDREDS of people reporting THOUSANDS of keywords. Lots of stuff will never get published, but that's all right: the more reports we get the more we know what domains and keywords need to be published.