Typos are really bad news; here's why

When I talk about email typos to a marketing audience, I sometimes get a mixed response. Yeah, typos lead to mail to spamtraps, and spamtraps can have some impact on deliverability, but are they really that bad? Who cares if my marketing e-flyer goes to the wrong address? I know, I know, I need to worry about engagement and inbox placement, but it's not like national security is at stake. Or is it?

See, there's a whole other side to the problem of typo addresses, typo domains, and spamtraps. The issue is that marketers aren't the only people sending to wrong addresses. Do you know how many people sign up with a social media account using the wrong email address? Tons! TONS!!! People typo their own email address constantly. When registering for Facebook, Twitter, TikTok, Tumblr, Livejournal, and all the other sites you've never heard of. And that's just on the social scene. People typo the email address of their lawyer. People typo their address when submitting a loan application. People typo the email address of their Aunt Sally constantly.

And where does that mail go? Some of it bounces, but not all.

Bad guys will camp on large numbers of typo addresses and domains, looking for things to exploit. Bad guys who get lucky and buy a domain name that is similar to a real one often just have to sit back and wait for PII (personally identifiable information) to come to them. They don't even have to go hunting for it. Just configure a mail server to grab and log (or forward) all the mail received, and PII magically just shows up in that email stream. It's like, instead of actively going out and robbing people, if you were able to just sit on your front porch and watch, in amazement, as people drop off their valuable data on your door step, gifting you the opportunity to exploit them.

Those of us that have operated spamtrap networks have known of this problem for a long time. Do you know how many password reset emails come through a spamtrap feed in any given day? I do. The number isn't small. If I wanted to turn into a bad guy, I could reset the password for and get access to a whole bunch of different social media accounts...which would probably take me a grand total of less than fifteen minutes.

But I'm a good guy, so I don't do stuff like that. That's why I don't even save body content from spamtrap messages, because I don't want people think they could hack other peoples' accounts by hacking my spamtrap data feeds.

But not everybody is a good guy, are they?

Thankfully, Dutch entrepreneur Johannes Zuurbier seems to be a good guy. He's warning the world of a very real and very problematic example of leaking very sensitive data due to typo'd email addresses. If you meant to email bob@us.army.mil but forgot the "i" when typing in the address, that email message ends up going to bob@us.army.ml, which is a whole different domain -- a whole different TLD! Managed by a non-US entity.

This is very bad. But remember that Johannes is not the bad guy; he's somebody willing to warn the public about this. There are a whole bunch of bad guys out there whom you can't see, happily hoovering up this kind of data. Some people will see this and say that Johannes should be sanctioned; but they're missing the point. Johannes isn't doing bad things with this data; he's warning you that there are other people out there who could, and likely are, doing bad things with data leaked like this.

That's why email data hygiene matters. That's why typos are just absolutely bad news. Deliverability success for marketing messages is not the only concern in the world. There's way more to it -- list hygiene, properly verifying email addresses, data security and data leakage. It's all connected. Even sometimes, to national security.



  1. thanks to form autocompletion, the number of typo is highly reduced now (in theory)


Comments policy: Al is always right. Kidding, mostly. Be polite, please and thank you.