Not sure much can be done here short of the US Government hijacking the .ml domain altogether via ICANN, which, if even achievable, would probably cause worse side-effects than the leaking of low-grade intelligence to Mali. Probably the best partial mitigation would be to make it a condition of doing business with the military to put a blocker on all emails to .ml domain, and for all partner militaries to do the same. Still won't prevent every instance, but they can probably prevent 80% of the most sensitive emails by doing this for 20% of people who communicate with them.
They don’t even need to hijack the actual
TLD. Just have an internal catch all that is defined on their internal DNS. Then the sender has to double confirm the addresses before it’d be passed through.
And if the senders are mostly within the US military and are thus resolving that domain through their infrastructure, changing the outgoing domain resolution configuration for the mail servers may be able to help with this.
Yeah, you don't have to route those emails. I'm pretty sure the number of people sending emails to both .mil and .ml are a dozen people in the State Dept.
It sounds like the DOD already does block emails to .ml because of this issue:
> Lt. Cmdr Tim Gorman [...] said that emails sent directly from the .mil domain to Malian addresses “are blocked before they leave the .mil domain and the sender is notified that they must validate the email addresses of the intended recipients”.
I think the issue is people sending emails from personal accounts that the DOD cannot control. The article also mentions travel agents as another source of the email.
Sales and travel agents, an IT depts worse nightmare. People too busy to double check anything are the fault of emails delivering to the wrong recipient.
or just rewrite it. all .ml becomes .mil, and then have .mil run a relay if it was an actual email to .ml.
then make it part of any contract that if you do business for .mil, and you use microsoft/zoho/gsuite etc, that they automatically run a set of ".mil compliance settings" overlaid onto your tenant.
Any e-mails with PII or other information considered sensitive is supposed to be encrypted, which is at least one reason contractors get CACs and .mil e-mails of their own, so they're able to send encrypted e-mails.
Given what can be figured out by collecting thousands of hotel itineraries or whatever is actually being leaked here, it may just be the DoD needs to crack down and expand the definition of what is considered sensitive.
The average business uses G Suite or MS Office, and I'm sure that they could find the right setting if their government contract were dependent on it. That's a heck of a lot easier to pull off than migrating >1.4 million military personnel to a new email address.
Hey, a new job for Clippy! "It looks like you're writing an email to a Mali address. Did you actually want to use a .mil address?". Especially Malians will welcome this feature...
That's really understanding companies. If you can get a military contact, you can hire a person who can figure out email filters. It's not the only, or even hardest hoop you'd need to jump through.
They'd need every permutation of 2, 3 letters of m, i, l; and while we're at it, add the keys close-by on a qwerty layout.
It seems like a better approach would be to harden all email software in usage to ban almost-but-not-quite .mil at the end of email addresses, looking for the above permutations client-side before anything is transmitted.
Maybe have thier email system do a check for a tld matching that and send a verification email before sending, just to make sure they aren't blocking legit email delivery?
Because I can see some serious shortcomings in your proposal right off the bat...
It's not just a question of whether it makes a legit TLD; it's also whether military personnel should have any reason to send email there from a given system.
If I remember well the operations of the root DNS are delegated to other companies/organizations (Verisign for example).
I don't know how easy it would be to insert lies in the root DNS servers, without it being spotted, and without it triggering a potential war if it impacts ccTLDs.
