I have a bad habit (okay, I have *lots* of bad habits, but we're only going to talk about one of them today): I buy dropped domains. I guess I'm assuming you know what I'm talking about when I say 'domains', but if not, I'm basically talking about that thing that you type in when you want to go to a website (the stuff after the 'www' part) or the part you type in when you want to email someone (the stuff after the '@'). There's a lot more to it than that, but that's way beyond the scope of this article. Essentially you figure out what domain you want (say, example.com), find out if someone else has already registered it (which, at this stage of Internet life, they probably have), if it's somehow available, then you can pay some amount of money to some entity to 'buy' it for some period of time, usually some multiple of years (sane people would call that 'renting', but the Internet is not usually a sane place). Once the time period is up, then the domain expires and is released. Then someone else can buy/rent it if they want. There are lots of reasons that a domain might be let go, including: a business registered it and then closed up shop, it got registered for a project that's no longer active, someone forgot to renew their registration, and so on. That's a long-winded way to say that domains expire all the time for all kinds of reasons. It's not something I usually think about until I try to go to some website that I haven't been to in years only to find out that it's now been replaced with porn, viruses, pornviruses, virusporn, etc. I never really gave a lot of thought to the process of how the pornvirus industry was able to track down these domains and sell them, but it turned out that one possible solution was actually pretty simple: domain drop lists. There are lots of services all over the Internet that monitor the Domain Name System for domains that are about to expire or have recently expired. From there anyone that wants to can peruse the lists and see if anything looks interesting. The people that run these lists position them as a way for you to do domain speculation, that is, buy something that looks valuable, convince some sucker that it *is* valuable, then sell it to said sucker at an inflated price. In practice, this no longer works (cue email where someone tells me that they made $40,000 last week selling somegarbage.org to the Los Angeles landfill), but it doesn't stop people from trying to hit the domain lottery. So, I started trawling the drop lists. Not because I think I'll hit it big by reselling something a worthless expired domain to a rube (if it was really all that valuable, odds are that it wouldn't have expired in the first place or that someone who was watching it a lot more closely than I was would have gotten there first), but because it's an interesting look at parts of the Internet that I don't usually look at. If something looks particularly interesting, I'll see if archive.org has a copy of it, which they usually don't, or, at least, nothing itereting. But there's some gold there if you pan long enough. The crawls of the expired domains (especially if they've had multiple owners over the years) is an interesting microcosm of failure, neglect, optimism, and the aforementioned pornviruses (i.e. be really careful if you decide to do this over your lunchbreak on your company computer). If a dropped domain looks *really* interesting for some reason (maybe it was a popular site, or the site of a business or other organization, or even a bank(!) or hospital(!!)), then buying it and setting up email on it, with a catchall email address (so you receive every email sent to any address on that domain) will yield some results that should be equal parts interesting and alarming. Depending on all kinds of factors, you might quickly discover that the previous owners of the domain may have signed up for newsletters that they never unsubscribed from. Or that they get targeted with spam from who knows where. Or, when GPDR became a thing, you might have gotten a flood of emails informing you of the GPDR status of your account. From there, you have a list of email addresses that were real at some point (and are real again). Someone could take those email addresses and put them into something like haveibeenpwned.com to figure out a few services where that email address was discovered in a breach, and then they can reset that password and take over an account. Do not do this. An example (again, do not do this): someone owns a business, let's say, Example Business, with the website example.com. They set up a Facebook page, a twitter account, a LinkedIn profile, and so on with social@example.com as the email address. Example Business folds up and the domain expires, but nobody takes down the social media accounts because that person got canned months prior. Someone else notices and buys example.com. Then they set up a catchall email address. The catchall gets a newsletter aimed at social@example.com. Someone puts social@example.com in haveibeenpwned.com and finds out that the account has a few breaches including LinkedIn, StackOverflow, and some forums around the Internet. Now that you know the address has been used all over the place, you can then start requesting password resets for accounts you don't own, and you will probably be successful because the recovery emails go to you instead of the original owner. Do not do this. I am not a lawyer. I don't want to be the one to test the legality of taking over an account in which the only method of verification belongs to an entity other than the one that initially created the account, and you probably don't, either. I don't have a solution to this loophole, except maybe to rail against every website on the planet requiring an account with and email address and password to do much, but that's a discussion for another time. In the meantime, I'm going to add to my collection of worthless domains, and I'm going to be really nosy and rifling through automated emails that people send me because nobody updated their address books. Last updated 13 Jun 2019.