More specifically, how does the .ml provider know the content of these messages? Do they just spoof MX for all unregistered domains, or did they specifically register the domain names mimicking the US military hostnames? Both scenarios seem sketchy.
It’s described in the article. The Dutchman who runs the registrar for Mali first started to started to store the emails sent to these invalid addresses before being overwhelmed (and probably realising the literal minefield having US government secrets is) and stopping doing that. So yes his firm was initially intercepting messages sent to the aether by spoofing invalid addresses.
More specifically, how does the .ml provider know the content of these messages? Do they just spoof MX for all unregistered domains, or did they specifically register the domain names mimicking the US military hostnames? Both scenarios seem sketchy.
It’s described in the article. The Dutchman who runs the registrar for Mali first started to started to store the emails sent to these invalid addresses before being overwhelmed (and probably realising the literal minefield having US government secrets is) and stopping doing that. So yes his firm was initially intercepting messages sent to the aether by spoofing invalid addresses.