just thought about, that the above outlined attack scenario could also happen through not aware newcomers that make only / mainly trust relationships to other newcomers.
even with the above suggestion of the 90% rule, we could sooner then later end up with having more then 11% newcomers that mainly certified other newcomers.
some thoughts to these problem:
the first thing we could do is to recommend to certify people that certified you (of course you still should verify them)
a further solution could be to count only both way certifications / trust lines for the web of trust
another solution could be to count only members for the distance rule that reach x% (lets say 66%) of the members with the distance rule settings.
of course also an combination of all 3 would be possible.