From: Steven Champeon <schampeo@xxxxxxxxxxx>
Date: September 13, 2005 12:23:24 PM EDT
To: dave@xxxxxxxxxx
Subject: FEMA mail server lacks MX record, bounced mail during
emergency
Dave -
An article in the Wall Street Journal today said:
"Attempts by officials at NIH to reach FEMA officials and send them
briefing materials by email failed as the agency's server failed.
"I noticed that every email to a FEMA person bounced back this week.
They need a better internet provider during disasters!!" one
frustrated Department of Health official wrote to colleagues last
Thursday."
http://online.wsj.com/article/0,,SB112658472240639074,00.html
Frustrated, indeed. The fema.gov DNS zone doesn't define an MX record,
which most modern mail servers use to determine where to send mail:
shell:1005 $ dig mx fema.gov
; <<>> DiG 9.2.3 <<>> mx fema.gov
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59174
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;fema.gov. IN MX
;; AUTHORITY SECTION:
fema.gov. 1800 IN SOA ns.fema.gov.
root.ns2.fema.gov. 2005090901 10800 3600 604800 1800
;; Query time: 39 msec
;; SERVER: 216.27.21.209#53(216.27.21.209)
;; WHEN: Tue Sep 13 12:09:12 2005
;; MSG SIZE rcvd: 74
OK, then, most modern mail servers default to the A record when MX
lookups fail. So, can we connect to the fema.gov host?
;; ANSWER SECTION:
fema.gov. 1800 IN A 205.128.1.44
Nope:
shell:1008 $ telnet fema.gov smtp
Trying 205.128.1.44...
^C
Well, then, where is the fema.gov mail server? Attempts to connect to
ns2.fema.gov were successful, though we have no way of knowing whether
that's just an unattended sendmail installation on what is arguably a
name server first and foremost (and notably on a completely different
net;
it's hosted by Verizon) and the sendmail install is several years out
of date (sendmail is up to 8.13 now and there are security flaws in
all
distributions up to 8.12.10 or so):
shell:1009 $ telnet ns2.fema.gov smtp
Trying 162.83.67.144...
Connected to ns2.fema.gov.
Escape character is '^]'.
220 ns2.fema.gov ESMTP Sendmail 8.11.7p1+Sun/8.11.7; Tue, 13 Sep 2005
12:11:55 -0400 (EDT)
^]
Attempts have been made to contact the SOA for the zone,
root@xxxxxxxxxxxx,
but unless someone is actively reading mail for that account it's
unlikely
that anyone at FEMA is minding the store.
Wouldn't it be tragic if FEMA delayed or failed to respond to
emergency
situations, or failed to properly coordinate with other agencies and
NGOs
because those agencies and organizations actually tried to contact
FEMA
using the contact information on their Web site?
http://www.fema.gov/feedback/
Sure, some of the addresses listed go to dhs.gov, but many go to
fema.gov, which as we've seen isn't on the email network for all
practical intents and purposes.
Perhaps instead of sending Bibles to refugees, we should be sending a
set of introductory O'Reilly systems administration and security
books?
Steve
--
hesketh.com/inc. v: +1(919)834-2552 f: +1(919)834-2554 w: http://
hesketh.com
antispam news, solutions for sendmail, exim, postfix: http://
enemieslist.com/
-------------------------------------
You are subscribed as craig@xxxxxxxxxxxxx
To manage your subscription, go to
http://v2.listbox.com/member/?listname=ip
Archives at: http://www.interesting-people.org/archives/interesting-
people/