[mappu]

I mean, i could host a form that looks like the dropbox login page, put it on my dropbox account, link it here, and the submission would show up with a (dropbox.com) suffix. Sure, the URL wouldn't be accurate, but i'm sure i'd catch a few people.

The solution isn't to trust random TLDs, it's exposing the subdomain in the domain preview. u.dropbox.com isn't going to be hosting an important login box or news post.

The same goes for google.com/plus.google.com, although it'd be very difficult to build a phishing page out of G+. Google Pages perhaps?