At Jonathan's suggestion, I've used the crt.sh DB to produce this report
of certs that have SAN:dNSName(s) that contain non-permitted characters:
I've only looked at certs for which there's a chain up to a root trusted
by Mozilla, and I've only looked at certs with notBefore dates after 1st
November 2015 (so there's no chance that any of these are "legitimate"
internal server names, per the BRs).
The characters I've treated as permitted are:
So that Symantec's "redacted" precertificates didn't make up 99%+ of the
report, I've also permitted dNSNames to begin with 0 or more instances
Senior Research & Development Scientist
COMODO - Creating Trust Online