Feds must secure e-mail gateways

A number of the federal government's mail gateways are not secure, according to a CIO Council review of the top 100 federal gateways.

The survey, conducted by a workgroup on e-mail issues from the interoperability committee of the CIO Council, identified vulnerabilities such as areas in mail programs that could allow third-party access for relaying mail or other unauthorized use. The survey was part of an effort to help federal postmasters identify security weaknesses in mail gateways.

"Our objective was to educate the postmasters about the problem areas and to make them aware of the tools available to help solve [those problems]," said Keith Thurston, assistant to the deputy associate administrator for information technology policy at the General Services Administration.

Sometimes the issues were simply matters of configuration settings or outdated software.

"Some of the older versions of programs didn't have the defenses against abuse of use that newer versions do," Thurston said. "In some cases, we simply recommend the postmaster upgrade for better protection."

One particularly vulnerable area the workgroup examined was third-party relaying of messaging, a capability that spammers can use to make broadcast messages appear to be originating from a federal mail gateway.

It also is a potential tool for a denial-of-service attack at the application level. In many cases the site manager may not even be aware that his gateway was used for such a purpose.

"Although we are not aware of any U.S. government sites that have been used for third-party relay, we do know of government sites in Korea and Australia that were used by spammers," said Artch Griffin, a technical specialist at GSA and a member of the workgroup.

The workgroup is asking agencies to test their mail gateways to see what sites may be vulnerable. The solution is often as simple as reconfiguring the software, but it may require upgrading.

"We will soon have documents on the CIO Council [World Wide] Web site that offer guidance on preventing third-party relay and also some pointers to free tools, such as a Web site that will run a free test of your site," Thurston said. "In addition, we have recommended fixes for 31 of the most widely used entry points."

In the meantime, interested postmasters can turn to the Web for a discussion of mail abuse and a self-test at maps.vix.com.

"One of the added benefits of this program is that it can also lead to other improvements in operations of the gateways," Griffin said.

"As postmasters learn, they discover how to streamline and improve other areas of the site beyond just the relay problem," he said.