I'm starting to see some new phishing/scam attempts.

What I was thinking was that it might be worthwhile to add a rule to not
so much check links, but count periods.

Here's the example that just came in my email -

(removing http:// ) -
connect.colonialbank.webbizcompany.c6b5r64whf623lx 426xq.secureserv.onlineupdatemirror81105.colonial. certificate.update.65tw.com/logon.htm

Notice that there are ten periods. That makes it be an eleventh level
domain name?

In general, you see fewer than four periods in a domain name - but I've
seen this sort of behavior in spams before.

Thoughts?

(I'm just a general administrator. I use other people's rules, I
haven't had time to learn to make my own)

BW