Able to get email as md5 from unmigrated accounts

When authenticating (https://authserver.mojang.com/authenticate) you're able to get the email as md5 from it. This is used by scripties whom get the email as md5 from there and try to brute force it. This does work very flawlessy for those alt shops, some crack close to 400 unmigrated accounts with email per hour. This has also been used to gain full access to accounts like $ as you couldn't just login to $ as username.

This does sound like its intended and a huge majority of those md5 emails are unable to be brute forced. But maybe there's a way to proof that request? I'm not a big networking guy myself so I can't look into this really.