In 2007, John Markus registered local.io because it felt like a clean name for programming projects. For years, it was just another domain and, like a lot of domains with email enabled, it attracted a steady stream of spam. Then in September 2024 he flipped on a catch-all inbox and the domain turned into something most investors never see: a steady pipeline of misdirected enterprise email tied to real organizations.
John says the messages were not just random signups. They included password reset traffic, one-time codes, and notifications that appeared to be connected to internal tools and environments at major companies. In several cases, the emails suggested that sensitive systems were being set up with @local.io as if it were a safe placeholder, not a domain owned by a private individual.
John believes the root of the problem is simple and stubborn: documentation and sample configuration habits that treated local.io as “safe to use,” then spread through copy-paste culture across teams, contractors, and companies. What started as a normal registration turned into a front-row seat to how bad assumptions travel, and how quietly they get repeated.
Sully's note: This interview discusses misdirected email, account recovery flows, and security-adjacent scenarios. We’ve avoided operational details, identifiers, and anything that would help replicate access. The purpose is awareness, not instruction. John says he focused on notification and remediation, not exploitation, and we are not publishing any private data. We reached out for comment where appropriate and will update if we hear back.
Mike: You registered local.io in 2007 for programming projects. When did you first realize something unusual was happening with the domain?
John: As a network professional, I used to run my own email server. The domain used to receive over 6,000 spam emails a day, and fighting the spam required me to run a dedicated system. Over time, the volume dwindled, and when I moved the mail server to Google (on paid plans) it became manageable.
Since I was only using named accounts, most of the spam was just statistical noise. I assumed this was normal mail server admin life, not an anomaly.
Mike: Walk me through what you saw when you turned on the catch-all email in September 2024.
John: The first sign something was off was that I started receiving a lot of one-time passwords from IBM. I realized I could completely bypass password authentication by using the “forgot password” routine on the affected accounts.
I tried to contact IBM, but I was paywalled. All the relevant support contacts required paid support plans, and without that, the contact forms just threw errors.
Mike: IBM's documentation recommended @local.io as a secure throwaway domain for testing. How did that even happen?
John: Apparently, in IBM’s own variant of OpenLDAP (likely distributed along with other products), they listed “local.io” as the example domain name. It became an internal culture at IBM to believe “local.io” was safe to use without double checking it.
The domain always had a placeholder web page indicating it was owned by a private individual, so it would not have been hard to detect. People just blindly trusted internal documentation for test emails.
Mike: You mentioned OpenLDAP configuration files from 1998 used local.io as a sample domain. Did OpenLDAP ever actually own it?
John: Even with Google, it is difficult to search for records older than 25 years ago. It is unknown whether OpenLDAP owned it.
That said, considering the upkeep fee for the domain, I find it unlikely an open source project would own it long-term. They could easily pick another domain with a lower maintenance fee.
Mike: What's the most sensitive system you accidentally gained access to through these emails?
John: The most sensitive would be IBM’s own internal network, FYRE, which is used to set up demonstration environments for their customers. IBM qRadar SOAR (security orchestration, automation and response) environments were often imbued with real security credentials that were used to demonstrate effectiveness on a potential customer’s system.
Mike: You said this spreads like malware, people see @local.io works and keep using it wherever they go. How common is this?
John: You see consistent patterns. There are currently about 10 people (contractors) who work for organizations, set up test accounts using the “local.io” domain, end the projects, then move on to a different project in another organization. You see additional new sites using that email address every few months, and patterns in the names they choose and the language settings they apply.
We know that banks in the UK like to pick names of famous British actors. Cryptographic currency handling sites use names of high-ranking EU officials. Advertisement agents use obvious pseudonyms like “Max Mustermann.” A Swiss network security training company uses real names of security professionals (likely previous customers). Vietnamese orgs tend to use real employee data pulled from an organization-wide employee database, along with real single sign-on credentials.
The patterns suggested that the financial use of the “local.io” domain was exclusively in Europe, indicating that someone was spreading the misinformation.
Mike: What would happen if local.io fell into the hands of someone less ethical than you?
John: It depends on where you are located. If you are from a country with strong data protection laws, picking a fight with a multi-billion dollar organization with a strong legal department can land you in very hot water.
The best damage you could do would be administrator access to cryptographic currency handling sites, but even then it depends on how each organization implemented failsafes. It also does not help that my information is published at the local NIC (Network Information Center) as a known networking professional.
Mike: Has anyone from IBM or any financial institution offered to buy the domain from you?
John: No one at all. People liked to silently fix the issue without bringing it up to their financial departments.
Mike: Do you think IANA or IETF should reserve certain domains like local.io to prevent situations like this?
John: I would disagree. Having IANA or IETF reserve such domains would make the internet a much less enjoyable place. We all know the stories of the most spammed email address “nobody@nowhere.com,” and there already are “safe to use in documentation only” domains such as example.com.
It amazes me that some people had the foresight of reserving and maintaining special domains such as “x.com” or “www.com.”
Mike: Do you own other domain names? If so, which names?
John: I also have domains that are my full name (minorutoda.com), several domains that are hardcoded in firewall rules as nonexistent names (not very useful, they simply don’t work since software is hardcoded to reject them), and a three-letter domain as a remembrance of the days when you could obtain any domain without paying thousands in reserved domain name fees.
Mike: What's your plan for local.io long-term? Keep it? Donate it? Try to get it reserved?
John: The .io domain is a ccTLD allocated for the British Indian Ocean Territory. The territory was annexed into Mauritius in May 2025, ending decades of dispute and British colonial rule.
The domain is destined to be dissolved as the geographic region is no longer in existence. When that time comes, “local.io” will again be a truly safe (but improper) imaginary domain to dump your sensitive financial emails.
Sully's note: Reporting on .io’s future generally describes it as uncertain. Even in a scenario where the extension ever faced retirement, any transition would likely be multi-year and dependent on ISO/IANA policy decisions and potential exceptions. Either way, the broader lesson stands: do not use real, registered domains as “throwaway” placeholders in documentation or test environments.