Typo watch: 'Millions of emails' for US military sent to .ml addresses in error
Good thing Mali isn't best pals with Russia right no– oh, shoot
For the past decade, millions of emails destined for .mil US military addresses were actually directed at .ml addresses, that being the top-level domain for the African nation of Mali, it's claimed.
As a result of that one-character typo, medical data, identity documents, maps of military installations, travel itineraries, bookings for high-ranking military leaders, and more have been fired off at .ml addresses rather than the intended .mil ones, we're told.
That's not to say all those emails actually arrived in .ml inboxes. For instance, if there is no .ml domain corresponding to a legit .mil one, an email to that .ml address should bounce and remain undelivered. If a corresponding .ml domain does exist, but there is no email server running, the mail can't be delivered. However, the situation isn't quite so simple.
It starts with Johannes Zuurbier, the boss of Amsterdam-based Mali Dili, which manages Mali's top-level country domain. After noticing a good number of DNS requests for Malian domains that didn't exist, such as army.ml and navy.ml, Zuurbier set up a system to catch emails destined for these addresses.
Zuurbier's mail catcher was overwhelmed, he said, and he stopped collecting messages shortly after bringing it online. He said he repeatedly tried to alert the American government to the issue in 2014 and 2015 without any luck.
Beginning in January 2023, Zuurbier recommenced collecting misdirected .mil emails to show to US authorities. So far this year, he told the Financial Times, he's collected some 117,000 missives. The fear is that some miscreant or other could soon enough register .ml domains that correspond to .mil domains, and harvest all the lost mail.
"This risk is real and could be exploited by adversaries of the US," Zuurbier said.
When asked why the problem was allowed to go on for so long, the US Department of Defense told The Register it was aware of the issue, and that it takes "all unauthorized disclosures of Controlled National Security Information or Controlled Unclassified Information seriously."
The Pentagon said it has technical controls in place that prevent its users from sending emails to the wrong place – such as going from a .mil to a .ml – by blocking those messages before they leave Dept of Defense systems. Senders are told to check the recipient and try again; the DoD didn't mention when it added such controls.
As to why the issue is ongoing if the DoD has already taken some action, there's only so much it can do, the department's officials said. For one thing, someone trying to email a .mil address from a personal or external account, and typoing it as .ml, can't be stopped by the Dept of Defense due to the way today's internet works.
"It is not possible to implement technical controls preventing the use of personal email accounts for government business," the DoD told us, adding that policy updates, guidance, and training emphasize not to do so.
Zuurbier's cache of wrongly addressed emails is said to reveal a few patterns. For example, some travel agents who book trips for military personnel are regular typo offenders as are private contractors.
- US government hit by Russia's Clop in MOVEit mass attack
- Hillary Clinton broke law with private email server – top US govt watchdog
- Government by Gmail catches up with UK minister... who is reappointed anyway
- UK Info Commissioner slams use of WhatsApp by health officials during pandemic
The US military isn't the only armed force making such mistakes. Emails intended for the Dutch military were also caught by Zuurbier's system – messages went to .ml rather than .nl – as were messages from the Australian military intended for US military recipients.
From Mali, with love
Zuurbier's ten-year contract with the Malian government to manage .ml is due to expire this week. After that, Malian authorities could set up their own email-capturing operation and begin gathering documents intended for Uncle Sam's personnel with ease - a prospect that isn't reassuring given Mali's close ties with Russia.
Mali experienced a pair of military coups in 2020 and 2021 that have led to the nation being under military rule. Since then, Mali's relationship with its Western allies has deteriorated, while Russia has stepped in to provide training and support for the embattled state.
Officials from the west African nation have defended their coziness with Russia and resisted calls for strengthening a UN peacekeeping force deployed to the country. The UN mission has been hampered since France withdrew its troops over tensions with the military government and the reported deployment of troops from Russian mercenary outfit Wagner Group in Mali.
Retired US Navy Admiral Mike Rogers, former head of the National Security Agency and US Cyber Command, told the FT that the handover of Mali's top-level domain management to the country's military government is worrying. Even if exposed messages don't include classified info, a decade of continued mistakes at such a large scale can make even unclassified info a solid source of intelligence, he said.
"It's one thing when you are dealing with a domain administrator who is trying, even unsuccessfully, to articulate the concern. It's another when it's a foreign government that sees it as an advantage that they can use," Rogers warned. ®