Oregon, still the only state with DMARC enforcement, still got hacked because they're still idiots.

Well, as I posted in the "Oregon roll-your-own-DMARC sucks" article (read it here), they screwed up. Even though they quarantine 100% of the non-DMARC compliant emails, they're still easily hackable. An "Unknown" commenter (which I let post because I will not reject any supposedly legitimate comment) suggested other states were indeed DMARC enforced. So I said to myself, "Mad Max, you could be wrong, and there could have been changes since the April "Russian phishing hole" posting  (read it here)." But I wasn't wrong.

"Man, it sucks, always being right" (the psycho genius in the movie Armageddon used that line). No other state has DMARC enforcement. You don't believe me? Here's the list, along with their DMARC vendors and the protection levels:
There were two and only two changes, neither one of which is significant. Montana fired Agari and hired proofpoint, but proofpoint still has enforcement set to NONE. And New Jersey fired proofpoint and rolled their own, but has DMARC enforcement set to…you guessed it…NONE. Hence, no net change. Oregon is the only state with a properly configured DMARC record, and they still got hacked. Because they're still idiots.

I suggested in my Oregon posting (referenced above) that the state ought to hire some serious professionals and not some thin-skinned college kids who don't know what they don't know. If you sniff around their site, you'll see that Oregon's vulnerability is obvious. What is it? Sorry Duckies, but I'm not doing free consulting. Go hire yourself a professional, and not some political hack whose only credentials is that he sucked up to power players for the last 13 years (you sucked up big time, and your security suckability shows it). And certainly, don't go to any of the moron vendors serving any other state government.

I know, I know. You're trying to limit legal liability, certainly justified based upon the Oregon Live piece (see it here). 851,000 people vulnerable. If you spent any time at all on this site, you'd see a way out; someone to sue before you get sued. But that's the only hint you'll get from me.

Pay attention, grasshopper.

Mad Max, Jailhouse Lawyer and…
Unfortunately for you, always right.

#oregon #dmarc #statevulnerabilities #russianphishinghole #OSCIO


  1. I feel like you used some out of date information. Alabama is not using DMARCian, nor are they at sp=none policy. Roll tide?

    Also, it is interesting that most states seem to only care or even "try" to roll DMARC on their public .gov zones, instead of their other zones like state.x.us.


Post a Comment

Leave your comment. The moderator will turn down no well-thought-out observations. We WILL turn down product plugs that are off target.

Popular Posts