At Medium, Bobbyr writes:
Google launched a new TLD or “Top Level Domain” of .zip, meaning you can now purchase a .zip domain, similar to a .com or .org domain for only a few dollars. The security community immediately raised flags about the potential dangers of this TLD. In this short write-up, we’ll cover how an attacker can leverage this TLD, in combination with the @ operator and unicode character ∕ (U+2215) to create an extremely convincing phish.
The .zip top-level domain is a terrible idea from a security perspective, and we can only hope that saner heads keep .jpg, .gif, .pdf, and .exe out of the complete list of top-level domains. Amusingly, Michael Tsai points out that the .zip proposal originally referred to Iomega’s now-defunct Zip drives. Sadly, it wasn’t denied like .floppy and .betamax.
More generally, when I’m scrubbing spambot-created accounts from my WordPress setup, every email address ending in a wacky top-level domain is bogus. The moral of the story is that if you must register an unusual top-level domain for a Web project, don’t also use it for email.