A Dutch internet entrepreneur says he has repeatedly warned the US government over the last decade that emails intended for the American military are being sent to Mali because of a common typo. Johannes Zuurbier tells the Financial Times that instead of the suffix .mil used for American military email addresses, people often type .ml, the domain for Mali, where the government is closely allied with Russia. Zuurbier had a 10-year contract to manage the domain but it expired Monday, with control reverting to the Malian government. Over the years, millions of messages intended for service members have been sent to .ml.
"This risk is real and could be exploited by adversaries of the US," Zuurbier warned in a letter to the US government earlier this month. He says he started collecting the misdirected emails in January to demonstrate the scale of the problem and now holds almost 120,000 of them, including around 1,000 that arrived on a single day last week. The information sent to the Mali domain includes "diplomatic documents, tax returns, and the travel details of top officers," per the FT. Zuurbier says that after he started managing the country code in 2013, he noticed a steady stream of requests for nonexistent domains like army.ml and navy.ml.
He says that after getting legal advice, he made repeated efforts to warn the US government—and gave his wife a copy of the advice "just in case the black helicopters landed in my backyard." Tim Gorman, a spokesperson for the Office of the Secretary of Defense, tells the Verge that the Pentagon is aware of the issue and is taking it very seriously. Gorman says emails sent from a .mil domain to Mali are blocked, though he acknowledges that emails sent from other government agencies or outside contractors would still get through if the sender typed the .ml suffix. (More US military stories.)