Over the past ten years, millions of emails destined for .mil US military addresses have been mistakenly directed to .ml addresses, belonging to the African nation of Mali.
This one-character typo resulted in sensitive information, including medical data and travel itineraries, being sent to the wrong recipients. Johannes Zuurbier, who manages Mali’s top-level domain, discovered the issue and collected over 117,000 missives, raising concerns that adversaries could exploit this situation to their advantage.
Despite the issue being known to the US Department of Defense, technical controls in place prevent users from sending emails to the wrong place, but they cannot stop personal email accounts from making such mistakes due to the nature of the internet.
Zuurbier’s cache of wrongly addressed emails reveals patterns, including travel agents and private contractors as regular typo offenders. Emails intended for the Dutch and Australian military were also caught in the .ml domain instead of the correct .nl and .mil domains, respectively.
With Zuurbier’s ten-year contract with Mali’s .ml domain management expiring, there are concerns about Malian authorities setting up their own email-capturing operation, potentially gathering documents intended for the US military.
This prospect raises concerns given Mali’s close ties with Russia, which has been providing training and support to the embattled state since the nation experienced military coups in 2020 and 2021. The misdirected emails, even if they don’t contain classified information, present a significant source of intelligence over a decade, as warned by retired US Navy Admiral Mike Rogers.
