Is confidential information leaking from your domain?

September 22, 2018 (Sat). Several years ago, I had an experience which shows how confidential information of your company may leak to outsiders if you don't own your brand-matching .com domain. The problem highlights human weakness when sending emails.

It happened when I was setting up email addresses using a .com domain. I somehow turned on its catch-all function. In the next few days, I received all sorts of emails and documents not intended for me: such as financial data, job application, invoice, and even internal memo.

You see, catch-all is a very handy function. When you set up email addresses for a domain, you can turn on its catch-all function. Then, emails sent to any address, including those you have not even set up, will be received. This allows you to create new email addresses on the fly, without going through the technical process. For example, suppose I own and I have set up only one address and have the catch-all function turned on. I will of course receive email sent to I will also receive any email sent to an email address ending "", such as and

Suppose you are a Chinese company running your business from the domain, which is reasonable because you are located in China. You have set up email addresses such as and What will happen?

Humans are not precise and tend to forget things. With .com becoming so popular, there are always some people who assume domains end with ".com". So, when employees in your company want to send financial data to your accounting department, without thinking or in a hurry they may just type The result is that confidential information intended for ends up in the mail box of In the same way, your banks, suppliers, customers, auditors and the likes may make the same kind of mistake. Even more scary, the sender may not know the email has been sent to the wrong place!

As .com becomes more and more popular across the world, this problem will only worsen. If you are concerned with leakage of confidential information, make sure you own your brand-matching .com domain.

Join me on LinkedIn for further discussion.