In a recent revelation, it has emerged that the Ministry of Defence (MoD) has identified 55 emails that were incorrectly sent to the .ML top-level domain, which belongs to the African nation of Mali, since January 2022.
The information came to light in a response to a written parliamentary question.
“The Ministry of Defence takes the security of our people, our information and our systems very seriously. While all sensitive information is shared on systems which would prevent such misdirection, policies are put in place on all email systems to minimise the risk of such mistakes,” stated Andrew Murrison, The Parliamentary Under-Secretary of State for Defence.
Further clarifying, he mentioned, “Investigations are still ongoing however to date, we have identified 55 emails that have been sent to the .ML top level domain since January 2022. Of these, it is assessed that 15 were misdirected emails, that were destined for a .MIL address. We are confident that this small number of emails did not contain any technical data or information that could compromise operational security. Seven of these were sent in 2022, and eight in 2023.”
For context, over the past ten years, many emails that were intended for the .mil US military addresses were mistakenly directed at .ml addresses due to a single-character error.
This mishap potentially redirected sensitive data like medical records, identity documents, and maps of military installations, although not all such emails reached their unintended .ml recipients.
I first came across this story in July when Johannes Zuurbier the Dutch bloke who has a contract to manage Mali’s country domain went public regards the missent mail he receives due to been misdirected to Mali through a “typo leak” as mentioned above by the omission of the middle i in Mil. He states he has been receiving such misdirection’s for over 10 years and despite him contacting the US gov regards these misdirection’s, he still receives up to 1000 emails a day from all over the world. The reason he went public is on the 24th of July… Read more »
It should take 2 minutes to put a rule on the MOD email servers to return any emails sent to a Mali email address back sender saying “Did you mean to send an email to Mail – contact IT if you really want to email Mali”
Exactly so.
Incomprehensible that there are not blocked suffix lists.
Most organisations have them in some way shape or form.
Why didn’t these emails bounce back as undeliverable?
Surely Mali does not have email addresses that are exactly the same as UK ones before the ampersand?
Catch-all, also known as “accept-all” is a domain-wide setting mail server that is configured to accept all emails sent to the domain, no matter if the specified mailbox exists or not.
It would take me 2 mins about £20 a year to set up any email address I wanted and accept and forward all email to me.
Thanks. Thats a new one on me.