DMSH is a quick Python script to iterate through a list of domains and check if the domain can be registered. There are many possible applications for this, but DMSH was created specifically to hunt for expired domains that had hosted mailservers, so that any lingering email sent to it can be caught.
After some trial and error, I've found that the best way is to find expired domains that appeared often in major breaches. I computed and released a list of the most popular email domains found in Collection 1-5, ANTIPUBLIC, MYR, and Zabugor breach compilations - please feel free to leverage it in your research.
Though my original - and still valid! - tactic was to look at email domain lists, such as those used by some webmasters to fight SEO spam or potentially unwanted accounts:
- Matt Ketmo's EmailChecker package and its list of throwaway domains
- Ozan Bayram's massive list of free email provider domains
This tool was inspired by this Reddit post on the legal/ethical considerations of registering old domains and publishing any incoming email, so it's fitting that it should come with a note about that.
Please use any expired domain you purchase responsibly and ethically. Everyone deserves privacy. Any email you collect from a registered domain should be reviewed for a specific purpose (ex. malware to research, spam to publish, statistics to track, etc.) and any identified PII should be deleted on discovery.
% python3 dmsh.py --help
usage: dmsh.py [-h] --file FILE [--sleep FLOAT] [--only INTEGER]
Checks if any domains in a list are expired
options:
-h, --help Show this help message and exit
--file FILE File containing domains
--sleep FLOAT Optional: Sleep [x] seconds between WHOIS queries (default: 1)
--only INTEGER Optional: Only check the first [x] domains (default: check all)
Files can be formatted either as just a list of domains:
domain
another_domain
wow_bill_your_mom_let_you_have_three_domains
or you can have an integer preceeding the domain, ex. how many times that domain appeared in a breach, or how popular it is relative to other domains:
100 domain
90 another_domain
1 exceedingly_unpopular_domain
So for example, after downloading and extracting email_domains_by_popularity.txt (ref) you might check the top 2,000 entries for expired domains, waiting 0.1s between each lookup, using:
% python3 dmsh.py --file email_domains_by_popularity.txt --only 2000 --sleep 0.1
Any large scans (>1k domains) will take a while - be patient.