Mali offers free .ML domains to anyone. What could *possibly* go wrong?

MaliIf news reports are to be believed, the West African country of Mali is planning to let anybody register .ML domain names for free.

Yes, you read that correctly.

For free.

Here’s how The Register described the plan:

Sign up to our free newsletter.
Security news, advice, and tips.

The .ML domain will be carved up in three phases, with a "Sunrise" phase in May and subsequent June "Land Rush" during which hundreds of generic and premium domain names will be released. Applicants are asked to contemplate "strategic partnership opportunities" during that period of time. Come July 15th, the world+dog can take their pick.

At first I thought it might be a late April Fool’s joke, but it appears that a press release from Freedom Registry confirms the plan:

Press release about free .ML domains

What could possibly go wrong?

Well, let’s put our thinking caps on for a minute.

  • With no cost of entry, .ML domain names will likely be snapped up quickly – not just by legitimate web users, but by online crooks who might be interested in creating phishing sites, using a .ML website to host malware, or as a redirector.
  • .ML, of course, looks really rather similar to .MIL – the TLD used by sections of the US military such as the American Navy, the Marines as well as the United States Coast Guard. Is it possible that cybercriminals might try to spoof legitimate .MIL websites by snapping up free .ML domains with confusingly similar names?
  • No payment makes it even easier for someone to register a domain name without giving their real credentials (there’s no need even to use a stolen credit card for payment). If crimes are committed involving .ML domain names, it will be hard for the authorities to trace those responsible.

Will the .ML domain name giveaway really happen?

Well, it looks likely.

A subsidiary of the same company has been handing out .TK domain names for free for some time, and boasts that “Tokelau (.tk) is now the largest country code top level domain registry in the world” with “more active domain names registrations than Russia and China combined.”

Alert on a .tk website

In the past we’ve seen lots of abuse of the .TK country code, and sure enough in the last week we have seen .TK sites being used to host malware, for phishing, and as URL shorterner services used in spam.

Quite why one of the world’s poorest countries, ravaged by conflict, would want to give away .ML domain names for free is anyone’s guess.

It’s certainly not going to boost the nation’s reputation internationally if it becomes associated with spammers, malware attacks and cybercrime.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.