Nuke it from orbit. It's the only way to be sure.
A system administrator of my acquaintance blocked all .ru domains from connecting to his network, because all he was getting from it was spam. Maybe the same tactic could be used with .tk. Harsh, I know. But I was shocked at how easy it was to get a .tk domain. Go to http://www.dot.tk/en/index.html?lang=en, and follow the steps. There's only one captcha, and no email validation at all. If I can do it in less than a minute, then phishers can do it too. Tk. really needs to tighten their act.