We present LEMMINGS (an acronym derived from "deLetEd doMain MaIl warNinG System"), which has been developed at SIDN for warning former owners of deleted domains when their domain is likely still being used for sending email. In this presentation, we present the system and results based on real-world data collected while running the system for a nine-month period and analysing over 600,000 domains.
When a .nl domain is deleted, it enters a 40-day grace period, after which it becomes available for general registration again. A malicious actor may re-register this domain with the intent of collecting email traffic still being sent to the domain. The received email may contain highly confidential and privacy-sensitive data, such as medical records. We have seen real-world examples in the Netherlands, where this was the case. For example, when domains were deleted by the Dutch Police and healthcare organizations.
We use DNS data captured at the authoritative DNS name servers for the .nl ccTLD to determine the probability that a deleted domain is still being used for email transactions. By analyzing over 4 billion DNS requests daily, we are able to calculate the probability that email is likely still being sent to deleted domains. There may also be other reasons for the mail-related DNS lookups, and there exists noise in the form of SPAM mail. The system we developed therefore contains filters for removing the noise and only sending a warning to former owners of deleted domains when there is a good indication email is still being sent to email addresses linked to a deleted domain.