Dec 20, 2011

Comacast and Gmai: all your typo email are belong to us

I’ve put my business cards in quite a few fish-bowl drawings, because the amount of personal information I’ll give away for a free chili-cheese burrito is astounding.

At some point, the proprietor of such a card-collecting eatery might pay her angsty nephew to hand jam those email addresses into a spreadsheet. Odds are that one of those addresses is going into that list with a typo. The same thing happens with a single opt-in webform (huzzah for double opt-in).

You might think most of these typo addresses are going to bounce when you send to them, so no big deal—typos are merely a minor annoyance and occasional source of hilariousness. And when they bounce, you’ll just clean them up then.

You’d be mostly right to think that. If you fat-finger the top-level domain, you’re going to get a bounce. If you mess up anything to the left of the @ symbol, chances are you’re going to get a bounce there, too.

But what if you fat-finger the domain? This past month, I was doing some big data wrangling for our Email Genome Project, and I saw something funky going on with fat-fingered domains of large ISPs and freemail providers—specifically, email to these typos wasn’t bouncing. We actually had great delivery to these domains, which was unnerving.

Typosquatting domains sit around sites like Gmail, Yahoo!, Hotmail, Comcast, etc., and many of them love to accept all the mail they can get. For example, just in November, MailChimp users successfully sent 100,000 emails to addresses at,,, and 15 other Gmail imposters.

I’m not saying that my doppelganger doesn’t have a address, but I’d be willing to bet that while these sites accept all the email sent to them, they deserve slim to none of it.

In November alone, our users sent approximately one million emails to typosquatting domains.

Don’t navigate to these sites, please. I’ve done it for you. The creepy stylins of

It’s mighty good of them to thank you for your typo.

Who owns these sites? Darned if I know. Many of them have anonymized their WHOIS information. What if your doctor fat-fingers the email address your blood work results are going to? The hard-working folks at will know all about your iron deficiency.

Perhaps these sites are collecting email addresses, correcting the typos, and creating lists to sell. That’s bad.

Now that they have your content, they could copy it, correct the typo address, and send a customized phishing attack to one of your subscribers. That’s worse.

Why don’t we correct these typos for you? Even if we could identify all these domains and pass judgment on whether or not a particular email address is intentional, correcting the address gets into permission issues. On a single opt-in list, someone might have intentionally given a bad email address. From a data-science perspective, these typos are an excellent signal of list quality—and they’re useful in "scoring" campaigns before they go out the door (hint, hint).

So look out for typos, and seriously consider going double opt-in. After all, if you’re not careful, you may end up in a coma…cast. *rimshot*