The first responsibility here lies with the owners of these domains letting them expire, of course. But this is such a simple and effective way gather data for phishing, identity theft and fraud that it will hopefully somehow be handled better.
The best I can come up with is that domains used like this should really have TLD level protection from resale. With email so often being the key to a whole account, letting the access to that be put at risk by an IT admin letting a domain expire or an organisation simply forgetting about an old domain is kind of insane.
