Here at Goolara we’ve been seeing a recent rise in a peculiar method of gathering and hijacking information. The basic mechanism isn’t new, but the fact that it’s being used with clickthroughs appears to be a new twist. It is based on exploiting mistyped email addresses by purchasing domain names that are either misspelled or have letters added or removed. You might, for instance, intend to send an email to someone at a Gmail address, but because you typed too quickly, it’s going to “gmial.com” instead; or maybe your finger hit two keys at once, and the mailing is sent to “gmailk.com.” In both cases, the domains are registered and your mail is actually being processed by these sites. To put it another way: That mail you accidentally sent to the wrong address is being received by someone who has intentionally chosen their domain name to take advantage of this mistake. Is that someone you really want to have any of your email data?

This technique, called typosquatting, has long been used to trick people into visiting sites (called domain doppelgangers) that look a lot like the sites they are imitating.¹ Most of it disappeared after laws were passed and some successful lawsuits were filed against these pretenders, but the legislation didn’t address the other part of the equation. The law can prevent them from mimicking an existing website, but anyone who has registered one of these domains still has the ability to receive any email sent to it. While a website could be construed as attempted fraud, simply receiving misaddressed email falls into a very gray area. Even this isn’t that new. These fakes sites have always accepted email. The new twist is that they are now apparently clicking on the links in the email they receive.

The Man-in-the-MailBox

It’s hard to know the reasons for these clickthroughs. It’s possible that they are intended to keep the address active and defray suspicion. Or it might be part of more complex scheme, such as the “Man-in-the-MailBox” scam detailed in a report on domain doppelgangers put out in 2011 by Peter Kim and Garret Gee of the Godai Group. In that report, Kim and Gee explained how they set up set up 30 doppelganger accounts for various firms and received 120,000 e-mails in the six-month testing period. Acting as middlemen, they would pass on data to the correct address and then send the information back to the intended recipient. In this way, they accrued 20 GBs of data that included everything from trade secrets to individual passwords.

It is also a method of verifying the links, which can be useful for ascertaining the value of each email address. This may seem like an inefficient way to collect addresses, but the evidence suggests that the processes here are handled primarily by bots, so minimal manpower is required. Like an army of ants, they achieve their goals methodically over time. If you intended, for instance, to send something to a specific address at Gmail, the typosquatter can now figure out the correct address without much difficulty and add it to their list. With the amount of email data passing through the Internet every hour, it is possible to build up a substantial list of names in no time.

Why It’s Important

You might be tempted to ask why this is important? After all, it’s only a few addresses here and there, but there are costs involved. Keep in mind that you’re paying for those addresses, and you’re paying for sending to those addresses. If you’re using an automated system to relay leads to your sales department, then clickthroughs from these sources can cause your sales staff to waste valuable time chasing down these imaginary leads and doing follow-ups that go nowhere.

It is also possible that some of these people are up to things far worse than merely collecting addresses. While many companies don’t accept email responses, some set up their mailings so that they send email replies to specific staff members. You don’t want to put your sales team in a situation where clicking on links from these sources—either accidentally or absentmindedly—lead to bigger problems. It is also worth remembering that these address mistakes simultaneous keep those subscribers from receiving your intended email while opening them up to receive email from these questionable sources.

Protecting Yourself

As you might imagine, protecting yourself against this problem can be tricky. Checking for typos only goes so far, and when your mailing list includes thousands of names, it’s almost impossible to catch them all. In Symphonie, we’ve added logic to the process that identifies and blocks these domains when we encounter them, so you don’t have to worry about the most commonly mistyped addresses. This doesn’t mean you shouldn’t stay on your guard, though. Like rust, these scammers never sleep and they are coming up with new naming variations all the time. Catching these people in that act is a responsibility we all share.

Requiring a double opt-in will help somewhat. Since, in most cases, the email address is initially entered by the subscriber, getting them to verify it will eliminate a lot of the potential for typos. It won’t keep you from accidentally sending the verification email to an incorrect address, but it will help keep that address off your recipient list. The mistyped address still has the potential to end up on scammer’s list, but at least you won’t be sending wasting your time and money sending mailings to them.

1. Technically, there is difference between typosquatting and domain doppelgangers. Typosquatting means a domain that is similar to the intended domain, but is misspelled, while a domain doppelganger will appear almost the same, but with periods either added, removed or misplaced (for instance yourcompanyc.om instead of yourcompany.com).