Anti-phishing rules?

[Sarang Gupta <sg...@ara.com>]

I've noticed that many phishing emails contain URLs with one of these two 
formats:

http://trusteddomain.com.fakedomain.xx/...
http://fakedomain.xx/.../trusteddomain.com/

where ".xx" is any TLD and "..." is any series of characters. More 
specifically, the "trusted domain" usually ends in .com (paypal.com, 
ebay.com, some_bank_name.com, etc), but the phisher's domain 
(fakedomain.xx) can have any TLD (.net, .com, .org, or any of the 
country-specific TLDs). Of course, the protocol can be https as well 
(though this is rarer).

Has anyone considered creating rules for emails containing URLs like those 
above? I realize that some legitimate sites use redirection in email:

http://your_bank.com/please/visit/our/partner/third_party_product.com/

so this can't be scored too high, but it still might be useful.

We do use clamav, but it doesn't block all phishing emails, and I thought 
this might help.

I know there are SARE_SPOOF_COM2COM and SARE_SPOOF_COM2OTH rules in 
70_sare_spoof.cf to catch things like "a.com.b.com" and "a.com.b.c", but I 
wasn't sure if these quite caught what I'm suggesting.

Has anyone tried creating rules like this and filtered out too much ham?

Are there other better ways of scoring phishing emails? I've aware of the 
"SARE_FORGED_PAYPAL" and similar rules, but these assume the phisher will 
spoof a legitimate domain's email address, instead of just the URL.

My apologies if this has been asked before.

--
Sincerely, Sarang Gupta (sgupta@ara.com)