use frequency of significant parts of domain for scoring

[elbosso]

While playing around with the script and the stream i often saw something like this:

[!] Likely    : catfinder-beta.corp.amazon.com (score=84)
[!] Likely    : catfinder-test.corp.amazon.com (score=84)
[!] Likely    : catfinder.corp.amazon.com (score=83) 
[!] Likely    : cctracker.corp.amazon.com (score=81) 
[!] Likely    : cefeedback.corp.amazon.com (score=83)
[!] Likely    : cepromotions.corp.amazon.com (score=82)
[!] Likely    : contractcentral-gamma.corp.amazon.com (score=82)
[!] Likely    : contractcentral.amazon.com (score=80)
[!] Likely    : cornerstone.amazon.com (score=81)    
[!] Likely    : cosmos-dashboard.corp.amazon.com (score=82)
[!] Likely    : cube-dub.corp.amazon.com (score=83)  
[!] Likely    : cube-metrics.corp.amazon.com (score=84)
[!] Likely    : cube-pdx.corp.amazon.com (score=84)  
[!] Likely    : cube-preview.corp.amazon.com (score=84)
[!] Likely    : cube-showcase.corp.amazon.com (score=84)
[!] Likely    : cube.amazon.com (score=80)           
[!] Likely    : daenerys-beta.corp.amazon.com (score=84)
[!] Likely    : dvatools.corp.amazon.com (score=82)  
[!] Likely    : dxa-dashboard.corp.amazon.com (score=83)
[!] Likely    : fleet-widget.corp.amazon.com (score=85)
[!] Likely    : fm-console.corp.amazon.com (score=83)
[!] Likely    : fua.corp.amazon.com (score=81)       
[!] Likely    : gcxgiftfindertools-eu.corp.amazon.com (score=86)
[!] Likely    : gcxgiftfindertools-fe.corp.amazon.com (score=86)

Therefore i thought that one could find the last part acting like the tld (.com or .co.uk - compare #38 ) and ignore that. The afterwards rightmost part - in this example corp.amazon - is them checked for how often it appeared in the stream in the last say hour (or day,...) and based on that, its score is computed: the highrr this number, the higher the score...