FEMA mail server lacks MX record, bounced mail during emergency

[David Farber <dave () farber net>]

Begin forwarded message:

From: Steven Champeon <schampeo () hesketh com>
Date: September 13, 2005 12:23:24 PM EDT
To: dave () farber net
Cc: doctorow () craphound com
Subject: FEMA mail server lacks MX record, bounced mail during emergency



Dave -

An article in the Wall Street Journal today said:

  "Attempts by officials at NIH to reach FEMA officials and send them
   briefing materials by email failed as the agency's server failed.

  "I noticed that every email to a FEMA person bounced back this week.
   They need a better internet provider during disasters!!" one
   frustrated Department of Health official wrote to colleagues last
   Thursday."

 http://online.wsj.com/article/0,,SB112658472240639074,00.html

Frustrated, indeed. The fema.gov DNS zone doesn't define an MX record,
which most modern mail servers use to determine where to send mail:

shell:1005 $ dig mx fema.gov

; <<>> DiG 9.2.3 <<>> mx fema.gov
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59174
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;fema.gov.                      IN      MX

;; AUTHORITY SECTION:
fema.gov.               1800    IN      SOA     ns.fema.gov.  
root.ns2.fema.gov. 2005090901 10800 3600 604800 1800

;; Query time: 39 msec
;; SERVER: 216.27.21.209#53(216.27.21.209)
;; WHEN: Tue Sep 13 12:09:12 2005
;; MSG SIZE  rcvd: 74

OK, then, most modern mail servers default to the A record when MX
lookups fail. So, can we connect to the fema.gov host?

;; ANSWER SECTION:
fema.gov.               1800    IN      A       205.128.1.44

Nope:

shell:1008 $ telnet fema.gov smtp
Trying 205.128.1.44...
^C

Well, then, where is the fema.gov mail server? Attempts to connect to
ns2.fema.gov were successful, though we have no way of knowing whether
that's just an unattended sendmail installation on what is arguably a
name server first and foremost (and notably on a completely different  
net;
it's hosted by Verizon) and the sendmail install is several years out
of date (sendmail is up to 8.13 now and there are security flaws in all
distributions up to 8.12.10 or so):

shell:1009 $ telnet ns2.fema.gov smtp
Trying 162.83.67.144...
Connected to ns2.fema.gov.
Escape character is '^]'.
220 ns2.fema.gov ESMTP Sendmail 8.11.7p1+Sun/8.11.7; Tue, 13 Sep 2005  
12:11:55 -0400 (EDT)
^]

Attempts have been made to contact the SOA for the zone,  
root () ns2 fema gov,
but unless someone is actively reading mail for that account it's  
unlikely
that anyone at FEMA is minding the store.

Wouldn't it be tragic if FEMA delayed or failed to respond to emergency
situations, or failed to properly coordinate with other agencies and  
NGOs
because those agencies and organizations actually tried to contact FEMA
using the contact information on their Web site?

 http://www.fema.gov/feedback/

Sure, some of the addresses listed go to dhs.gov, but many go to
fema.gov, which as we've seen isn't on the email network for all
practical intents and purposes.

Perhaps instead of sending Bibles to refugees, we should be sending a
set of introductory O'Reilly systems administration and security books?

Steve

--
hesketh.com/inc. v: +1(919)834-2552 f: +1(919)834-2554 w: http:// 
hesketh.com
antispam news, solutions for sendmail, exim, postfix: http:// 
enemieslist.com/


-------------------------------------
You are subscribed as lists-ip () insecure org
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/