This makes a strong case for application-level filtering. AMC's blacklist will fail here, as any TLD can be used to exploit this. Apps will have to start detecting character properties such as symbol and punctuations (which I guess would be allowed by some TLD's IDN roll-out including VGRS's).
this was demostrated to me just now. basically, the problem is U+2215, a slash-like mathematical symbol.
wil. [gone phishing with U+2215]
