Maybe try these:

describe SILLYLONGDOMAINURI Includes a very long domain name gt 8 levels
uri SILLYLONGDOMAINURI /^http?\:\/\/([a-z0-9_\-A-Z]+\.){8,}/

describe SILLYDOTSDOMAINURI Includes a multiple dots domain name
body SILLYDOTSDOMAINURI /^http?\:\/\/([a-z0-9_\-A-Z]+\.)+\./


Quoting Bookworm :

> I'm starting to see some new phishing/scam attempts.
> What I was thinking was that it might be worthwhile to add a rule to =20
> not so much check links, but count periods. Here's the example that =20
> just came in my email -
> (removing http:// ) - =20
> connect.colonialbank.webbizcompany.c6b5r64whf623lx 426xq.secureserv.onlineu=

pdatemirror81105.colonial.certificate.update.65tw. com/logon.htm
> Notice that there are ten periods. That makes it be an eleventh =20
> level domain name?
> In general, you see fewer than four periods in a domain name - but =20
> I've seen this sort of behavior in spams before. Thoughts?
> (I'm just a general administrator. I use other people's rules, I =20
> haven't had time to learn to make my own)
> BW

Framework? I don't need no steenking framework!

@fferent Security Labs: Isolate/Insulate/Innovate =20