CircleID

While limiting IDN labels to codepoints associated with a single language (as per the ICANN IDN guidelines and RFC 3743) does significantly mitigate the problem, it does not eliminate it.  For example the first label in ѕех.com contains Cyrillic codepoints only, yet in many browsers is easily confused with its US-ASCII equivalent.  This isn't an indictement of the guidelines, just a warning that they should not be viewed as a magic bullet.

[ The link in my previous comment was incorrectly rendered; it should have been: ѕех.com ]

Update: Mark Davis poined out a UTR #36 Security Consideration for Implementation of Unicode and other Related Technologies.

Ben Laurie pointed out I have incorrectly attribute the IDN spoofing to Securnia - it was Eric Johnson.

Update: Found a better reference to the idea Mark Davis proposed back in 2002.

I own the Cyrillic IDN you list (not paypal).  I bought it for fun, not phishing, like buying a fake Rolex that I would never wear. I hate to sound defensive, but you are certainly not the only one to pick on that one domain. It does not pretend to be the original site.  Phony bank, credit card, etc sites and scum/spyware are the real threat. 

Thanks for mentioning paypal, but why pick on my site?  There are several variations of triple X, xbox, xp dot com and many other IDN sites.  If someone registers an ASCII domain name with the word "Microsoft" in it, they are likely to be sued if they use it to deceive. Let the current system handle it along with MS IE7 and other anti-phishing software.