If you live in pedocommiechusetts, FYI:

In early 2024, I reported a serious security flaw in the Commonwealth of Massachusetts email system to the office of Senator Michael Moore, Chair of the state’s cybersecurity committee.

Sixteen months later, nothing has been fixed. Domains such as http://mass.gov, http://masenate.gov, and http://jud.state.ma.us still lack required email-authentication controls (SPF and DMARC).

Because of this, anyone can send emails that appear to come from these official addresses, and on most phones or tablets those spoofed messages look completely legitimate to the recipient.

This ongoing gap enables:
• Phishing and credential-theft attacks targeting citizens, employees, and vendors.
• Vendor or payroll fraud through fake “bank-account change” or “invoice-update” messages.
• Ransomware delivery disguised as official state IT communications.
• Identity-theft and benefit-fraud schemes exploiting public trust in government email.

Both CISA and CERT/CC reviewed the issue and confirmed that mitigation is the Commonwealth’s responsibility.

It’s a straightforward configuration fix that any qualified IT administrator — or anyone who can follow published standards — could complete in under an hour.

After more than a year without remediation, this vulnerability clearly persists. The public deserves to know. The risk is real.