I recently asked a friend if I could have just a list of the domains in the LinkedIn dump, no passwords, not full emails, just domains. I run a program that I lovingly call “DeepMagic” and I feed it domains whenever I can. Well, this time when I tossed the list of domains into the engine it started spitting out tons of errors. There was a total of 9,436,804 unique domains names in the list, and for anyone who works with DNS that isn’t a very big number, so I didn’t think very much of it and didn’t know why it would choke on a list that small.

When I looked at the logs I noticed that there was a very large percentage of the domains that were coming up with NXDOMAIN. Most of the time this means that the domain isn’t registered, but can also mean that no name servers are registered for the domain (this usually happens when a corporation doesn’t want to maintain the domain but still wants to hold onto it for brand management).

I let the resolution keep going and just parsed out all of the NXDOMAINs, but when I saw the list of NXDOMAINs go over 90,000 and I wasn’t even out of the ‘A’s yet, I took a different approach. I sorted the list by count to find the most used domains (using of course my favorite sort | uniq -c | sort -n that I think everyone who’s ever done text parsing on Linux knows).

It lead to a few surprises, first, people still use AOL and earthlink?

Second… well just look for yourself:

32952409 gmail.com 24071552 hotmail.com 20421035 yahoo.com 4283225 aol.com 1983431 comcast.net 1431727 yahoo.co.in 1337019 msn.com 1041953 sbcglobal.net 1039635 rediffmail.com 995709 yahoo.fr 916458 yahoo.co.uk 845570 live.com 841415 yahoo.com.br 750175 hotmail.co.uk 742597 verizon.net 575381 hotmail.fr 530308 ymail.com 529548 cox.net 510463 bellsouth.net 504339 libero.it 480006 att.net 429760 yahoo.es 407687 btinternet.com 396313 mail.ru 376970 googlemail.com 307292 earthlink.net 304012 mac.com 266076 yahoo.in 262010 yahoo.ca

I’ve never heard of rediffmail, you?

Anyways, I pushed the list in this order into a simple script:

cat domains_count.txt | xargs -P 100 -n 2 sh -c './findnx2.sh $1 $2' argv0 | tee nxdomains.txt

This is what is in findnx2.sh :

#!/bin/bash lines = $( nslookup ${ 2 } | grep NXDOMAIN | wc -l ) if [ $lines -eq "1" ] then echo " $2 is open with count $1 " fi

And out popped a pretty interesting list (top 50):

domain -> number of email accounts registered under that domain (based on number of occurrences of the domain in the unfiltered list):

XXXXXXXXXXX is open with count 7606 hotmail.con is open with count 4367 c2i.net is open with count 3966 yahoo.con is open with count 3487 gmail.con is open with count 3249 90wewhelp.ru is open with count 3218 csupomona.edu is open with count 2844 us.ing.com is open with count 2622 test.linkedin.com is open with count 2583 wowhackgold.com is open with count 2515 yahoo.om is open with count 2461 alltel.net is open with count 6565 w.cn is open with count 2451 uolsinectis.com.ar is open with count 2315 gmail.fr is open with count 2830 gmail.om is open with count 2122 hotmail.cm is open with count 2044 alltel.com is open with count 2046 hotmail.om is open with count 1901 memo.ikea.com is open with count 1809 chicagogsb.edu is open with count 1758 gawab.com is open with count 2141 mscd.edu is open with count 1740 mayalasr.com is open with count 1626 yavvaram.com is open with count 1424 twtelecom.com is open with count 1448 asbada5m.com is open with count 1371 eunet.yu is open with count 1272 camerabuy.info is open with count 1156 mywdo.com is open with count 1275 g.mail.com is open with count 1089 nortelnetworks.com is open with count 1815 infotechsw.com is open with count 1040 saugov.sa.gov.au is open with count 1033 hoyllmail.com is open with count 1028 mn.rr.com is open with count 1029 apollogrp.edu is open with count 980 gemail.com is open with count 1086 v4q.info is open with count 928 hoylmail.com is open with count 915 yahoo.coom is open with count 890 ifrance.com is open with count 917 justafou.com is open with count 886 2008radiochat.info is open with count 879 myclearwave.net is open with count 967 tconl.com is open with count 939 gmail.cim is open with count 849 flykingfisher.com is open with count 866 lycos.co.uk is open with count 1092 pichosti.info is open with count 813

Basic analysis of this list:

I thought that LinkedIn validated sign ups with an email, kinda hard to do with all these domains that are obviously mistyped, unless of course they just keep the database record around indefinitely XXXXXXXXX is an ISP that went out of business in 2011, their domain is available for register and would probably mean 7606 accounts up for grabs, if not more that’s why I redacted it, but I wanted to mention it just to demonstrate how powerful this type of analysis of a hacked site’s dump can be. $10 to purchase a domain is much cheaper and more wide spread than cracking time passwords just for LinkedIn (well, one can dream that everyone uses unique passwords). WoWHackGold was also up for grabs, I picked it up just to see what kind of traffic is still going to it, these guys sold hacked WoW accounts so I don’t particularly feel inclined protect their info.

What can someone do with this knowledge? Well, all they have to do to reset any of the accounts registered with one of these domains is simply purchase it, set up a catch-all email address and watch the account information roll in. The “accounts” they would have access to isn’t limited to LinkedIn either, could be anything that people use email addresses to sign up for.

/mubix

P.S. I have seen account take-overs of GMail accounts using “backup” accounts in this way. I assume Google has too since they ask me every so often now to make sure my backup email is correct.