Due to a typo, a Dutch web administrator, Johannes Zuurbier, has received more than 100,000 emails since January that were intended for the American army. That’s what the Financial Times. Zuurbier manages Mali’s domain, which ends in .ml (like the Netherlands’ .nl) – and which is quite similar to .mil, the domain of the US military. As soon as people forget the ‘i’, he receives the emails. Sometimes with very sensitive content: tax returns, passwords or the travel plans of high-ranking officers.
Zuurbier raised the problem ten years ago and sent another letter to the United States this month. “The risk is real, and adversaries of the United States can take advantage of this,” he writes. Zuurbier and his company Mali Dili will transfer the care of the .ml domain to the government of Mali, which has close ties with Russia, on Monday.
Before Zuurbier took over the domain name of Mali in 2013, he already managed the domains of the Central African Republic, Gabon, Equatorial Guinea and the New Zealand archipelago of Tokelau. In Mali he suddenly discovered a lot of requests for domains such as army.ml and navy.ml, domains that did not exist. Zuurbier suspected that it concerned emails. When he installed a system to intercept those messages, he was quickly overrun with them and he dismantled the system.
Also read: Zuurbier bought a radio frequency for ‘Financial News Radio’ earlier this year at the first frequency auction in 20 years. It is unclear what he wants with that channel.
As soon as Zuurbier realized what was happening, he sought legal advice and tried several times to warn the American authorities. He became so nervous that he even gave his wife a copy of the legal advice: “Just to be on the safe side, if the black helicopters suddenly show up in my backyard.”
According to a Pentagon spokesperson, emails sent to a domain outside .mil are automatically blocked – so military employees must first click away a message urging them to check the sender. Apparently that is not enough in many cases, although the majority of emails are spam, says Zuurbier.
Secret emails, which as classified are marked, he never received them. But it does contain X-rays and other medical data, data on identity papers, blueprints of buildings, photos of army bases, passwords, contracts, (criminal) complaints about personnel, internal investigations into bullying and tax and financial documents. ‘Enough to gain valuable insights, even if the documents are not classified‘, says retired US Admiral Mike Rogers.
Zuurbier has also received emails from the Dutch army: army.nl, the Dutch domain, is also just one wrong key away from .ml. For example, he gained insight into a Dutch operation to collect ammunition in Italy and detailed reporting between Dutch Apache helicopters in the United States – including a complaint about the vulnerability to a cyber attack. The Ministry of Defense has not responded, writes the Financial Times. (Simoon Hermus)