On 10/02/09 13:52, quoth Michael Scheidell: > not to be outdone by hackers and thieves, phishing for PPI, southwest > airlines is sending out their own DKIM signed, SPF PASSED, from their own > servers, their very own phishing email. (didn't one of the major banks do > something like this 3 years ago?)
I have no idea what the story is here but from what you say here, it's not clear whether responsys is a legitimate marketing company that was hired by southwest. For example: southwest.com. 900 IN A 208.94.153.100 but the MX for southwest is southwest.com. 900 IN MX 10 mail-1.southwest.com. southwest.com. 900 IN MX 10 mail-2.southwest.com. Then look at luv.southwest.com which has luv.southwest.com. 90 IN A 12.130.131.30 but also has a reverse dns 30.131.130.12.in-addr.arpa. 3600 IN PTR luv.southwest.com. Then the MX for luv says: luv.southwest.com. 90 IN MX 20 imh2.rsys4.net. luv.southwest.com. 90 IN MX 10 imh.rsys4.net. which also happens to be ns1.responsys.net Assuming responsys *is* legit, they could do a better job of reputation management. > > all servers in the links are http (not https), and are on > *.luv.southwest.com ip's. http://luv.southwest.com/servlet/cc6?(and some > number that i erased) looks like ip is owned by 'Responsys'? > > host luv.southwest.com luv.southwest.com has address 12.130.131.30 > luv.southwest.com mail is handled by 20 imh2.rsys4.net. luv.southwest.com > mail is handled by 10 imh.rsys4.net. mirror# whois 12.130.131.30 AT&T > WorldNet Services ATT (NET-12-0-0-0-1) 12.0.0.0 - 12.255.255.255 CERFnet > ATTENS-SJC1-2 (NET-12-130-128-0-1) 12.130.128.0 - 12.130.191.255 CI - > Responsys SID-10369 ATTWH-12-130-131-0-24-0809094253 (NET-12-130-131-0-1) > 12.130.131.0 - 12.130.131.255 > > I looked up numbers on their web site. > > I called southwest. they say the hold time is between 45 mins and 1 hour > and 6 mins. (i wonder why). I called responsys. phone doesn't even ring > (800-624-5356) > > I won't post full body, because of all the web bugs in it it could lead to > the account of the person who brought this to my attention, but for people > I know, Imight share it. > > content of the email is a typical phishing email: does anyone know if TSA > really wants the airlines to collect this information? * > > *Action Required: TSA Changes Require You To Update Your Account* > > * > > Dear Future victim of identify fraud[sic], > > Southwest Airlines has been working in cooperation with the TSA to > introduce Secure Flight, a federally mandated program designed to help > enhance the security of domestic and international commercial air travel > through the use of improved watch list* matching. > > > > Southwest Airlines is therefore required to collect additional Secure > Flight Passenger Data, which includes: > > * Your full name, exactly as it appears on the current (non-expired) > government-issued photo ID that you will be traveling with * Date of birth > * Gender * The TSA-issued Redress Number** (if applicable) > > > here are headers. yep, dkim passed on my end (before I munged the headers) > > From - Fri Oct 2 13:27:11 2009 X-Mozilla-Status: 0001 X-Mozilla-Status2: > 00000000 Received: from mx1.secnap.com.ionspam.net ([204.89.241.253]) by > secnap3.secnap.com over TLS secured channel with Microsoft > SMTPSVC(6.0.3790.3959); Fri, 2 Oct 2009 13:27:05 -0400 Received: from > localhost (mx1.secnap.com.ionspam.net [204.89.241.253]) by > mx1.secnap.com.ionspam.net (Postfix) with ESMTP id 936342B7C91 for > <spamt...@secnap.net>; Fri, 2 Oct 2009 13:27:05 -0400 (EDT) Received: from > omp.luv.southwest.com (omp.luv.southwest.com [12.130.137.222]) by > mx1.secnap.com.ionspam.net (Postfix) with ESMTP id BA8CE2B7C7B for > <spamt...@secnap.net>; Fri, 2 Oct 2009 13:27:03 -0400 (EDT) > DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=southwest; > d=luv.southwest.com; > h=MIME-Version:Content-Type:Content-Transfer-Encoding:Date:From:Reply-To:Subject:List-Unsubscribe:To:Message-Id; > i=rapidrewa...@luv.southwest.com; bh=K9LTM4P8WM/e8CFLBk2b3E5eKKA=; > b=CovqQo71dauGXRfa0/e/1yqWPkjJhNrrGITrt34DKCk2SfX8zTrbtcDFdmNabtnIAPvTbF982oUe > > > > VhYLXdl5uN7qDddhsDZ4Y2l7qa/4li0RXSWQIMPt8zCPCTL/2a1zMH7MsAOtGaucHkxhiHQMZwT9 > > > +rfozAHcpB98YHsdDLE= DomainKey-Signature: a=rsa-sha1; c=nofws; q=dns; > s=southwest; d=luv.southwest.com; > b=c4Y0HLpkWe1F5sC9DHPIDTgks95ippZeicmDIahk5M9ci+xT7iQUnzHqUncH6+Agtjf13Gwh8bKz > > > > h65VN0uzG/HChchBerQpH/3JrhkCzlkyyHJfnONEPc8njpeGDg/5BYqbASDCnzKHxs8WvCIlMcI9 > > > EqpTLSW7ZdrNYvrx3mE=; Received: by omp.luv.southwest.com (PowerMTA(TM) > v3.5r10) id hoorue0morc3 for <scheid...@secnap.net>; Fri, 2 Oct 2009 > 10:27:02 -0700 (envelope-from <rapidrewa...@luv.southwest.com>) > MIME-Version: 1.0 Content-Type: text/html; charset="UTF-8" > Content-Transfer-Encoding: quoted-printable Date: Fri, 2 Oct 2009 10:27:01 > -0700 From: "Southwest Airlines Rapid Rewards" > <rapidrewa...@luv.southwest.com> Reply-To: "Southwest Airlines Rapid > Rewards" <re...@luv.southwest.com> Subject: Important Notice: TSA Secure > Flight List-Unsubscribe: > http://luv.southwest.com?lPHpkDCABDVTElJoLpKLssFlLJgHiDgLmEa Return-Path: > rapidrewa...@luv.southwest.com X-OriginalArrivalTime: 02 Oct 2009 > 17:27:05.0688 (UTC) FILETIME=[8FDDF580:01CA4385] -- Time flies like the wind. Fruit flies like a banana. Stranger things have .0. happened but none stranger than this. Does your driver's license say Organ ..0 Donor?Black holes are where God divided by zero. Listen to me! We are all- 000 individuals! What if this weren't a hypothetical question? steveo at syslang.net
signature.asc
Description: OpenPGP digital signature
