You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Michael Scheidell <sc...@secnap.net> on 2009/10/02 19:52:12 UTC
southwest airlines sends out their own phishing email
not to be outdone by hackers and thieves, phishing for PPI, southwest
airlines is sending out their own DKIM signed, SPF PASSED, from their
own servers, their very own phishing email. (didn't one of the major
banks do something like this 3 years ago?)
all servers in the links are http (not https), and are on
*.luv.southwest.com ip's.
http://luv.southwest.com/servlet/cc6?(and some number that i erased)
looks like ip is owned by 'Responsys'?
host luv.southwest.com
luv.southwest.com has address 12.130.131.30
luv.southwest.com mail is handled by 20 imh2.rsys4.net.
luv.southwest.com mail is handled by 10 imh.rsys4.net.
mirror# whois 12.130.131.30
AT&T WorldNet Services ATT (NET-12-0-0-0-1)
12.0.0.0 - 12.255.255.255
CERFnet ATTENS-SJC1-2 (NET-12-130-128-0-1)
12.130.128.0 - 12.130.191.255
CI - Responsys SID-10369 ATTWH-12-130-131-0-24-0809094253
(NET-12-130-131-0-1)
12.130.131.0 - 12.130.131.255
I looked up numbers on their web site.
I called southwest. they say the hold time is between 45 mins and 1
hour and 6 mins. (i wonder why).
I called responsys. phone doesn't even ring (800-624-5356)
I won't post full body, because of all the web bugs in it it could lead
to the account of the person who brought this to my attention, but for
people I know, Imight share it.
content of the email is a typical phishing email:
does anyone know if TSA really wants the airlines to collect this
information?
*
*Action Required: TSA Changes Require You To Update Your Account*
*
Dear Future victim of identify fraud[sic],
Southwest Airlines has been working in cooperation with the TSA to
introduce Secure Flight, a federally mandated program designed to help
enhance the security of domestic and international commercial air travel
through the use of improved watch list* matching.
Southwest Airlines is therefore required to collect additional Secure
Flight Passenger Data, which includes:
* Your full name, exactly as it appears on the current (non-expired)
government-issued photo ID that you will be traveling with
* Date of birth
* Gender
* The TSA-issued Redress Number** (if applicable)
here are headers.
yep, dkim passed on my end (before I munged the headers)
From - Fri Oct 2 13:27:11 2009
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Received: from mx1.secnap.com.ionspam.net ([204.89.241.253]) by
secnap3.secnap.com over TLS secured channel with Microsoft
SMTPSVC(6.0.3790.3959);
Fri, 2 Oct 2009 13:27:05 -0400
Received: from localhost (mx1.secnap.com.ionspam.net [204.89.241.253])
by mx1.secnap.com.ionspam.net (Postfix) with ESMTP id 936342B7C91
for <sp...@secnap.net>; Fri, 2 Oct 2009 13:27:05 -0400 (EDT)
Received: from omp.luv.southwest.com (omp.luv.southwest.com
[12.130.137.222])
by mx1.secnap.com.ionspam.net (Postfix) with ESMTP id BA8CE2B7C7B
for <sp...@secnap.net>; Fri, 2 Oct 2009 13:27:03 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=southwest;
d=luv.southwest.com;
h=MIME-Version:Content-Type:Content-Transfer-Encoding:Date:From:Reply-To:Subject:List-Unsubscribe:To:Message-Id;
i=RapidRewards@luv.southwest.com;
bh=K9LTM4P8WM/e8CFLBk2b3E5eKKA=;
b=CovqQo71dauGXRfa0/e/1yqWPkjJhNrrGITrt34DKCk2SfX8zTrbtcDFdmNabtnIAPvTbF982oUe
VhYLXdl5uN7qDddhsDZ4Y2l7qa/4li0RXSWQIMPt8zCPCTL/2a1zMH7MsAOtGaucHkxhiHQMZwT9
+rfozAHcpB98YHsdDLE=
DomainKey-Signature: a=rsa-sha1; c=nofws; q=dns; s=southwest;
d=luv.southwest.com;
b=c4Y0HLpkWe1F5sC9DHPIDTgks95ippZeicmDIahk5M9ci+xT7iQUnzHqUncH6+Agtjf13Gwh8bKz
h65VN0uzG/HChchBerQpH/3JrhkCzlkyyHJfnONEPc8njpeGDg/5BYqbASDCnzKHxs8WvCIlMcI9
EqpTLSW7ZdrNYvrx3mE=;
Received: by omp.luv.southwest.com (PowerMTA(TM) v3.5r10) id
hoorue0morc3 for <sc...@secnap.net>; Fri, 2 Oct 2009 10:27:02 -0700
(envelope-from <Ra...@luv.southwest.com>)
MIME-Version: 1.0
Content-Type: text/html;
charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Date: Fri, 2 Oct 2009 10:27:01 -0700
From: "Southwest Airlines Rapid Rewards" <Ra...@luv.southwest.com>
Reply-To: "Southwest Airlines Rapid Rewards" <re...@luv.southwest.com>
Subject: Important Notice: TSA Secure Flight
List-Unsubscribe:
http://luv.southwest.com?lPHpkDCABDVTElJoLpKLssFlLJgHiDgLmEa
Return-Path: RapidRewards@luv.southwest.com
X-OriginalArrivalTime: 02 Oct 2009 17:27:05.0688 (UTC)
FILETIME=[8FDDF580:01CA4385]
--
Michael Scheidell, CTO
Phone: 561-999-5000, x 1259
> *| *SECNAP Network Security Corporation
* Certified SNORT Integrator
* 2008-9 Hot Company Award Winner, World Executive Alliance
* Five-Star Partner Program 2009, VARBusiness
* Best Anti-Spam Product 2008, Network Products Guide
* King of Spam Filters, SC Magazine 2008
_________________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(r).
For Information please see http://www.spammertrap.com
_________________________________________________________________________
if this is legit, SW needs to protect their servers Re: southwest
airlines sends out their own phishing email
Posted by Michael Scheidell <sc...@secnap.net>.
from other that have see this email from other airlines:
(and, sw needs to protect my PPI by using SSL servers, not plain text
servers that belong to a marketing company)
Is the TSA “trying to scare me into providing personal information”?
June 2, 2009
Secure Flight. Just the mention of those two words is enough to confuse,
frustrate or frighten the average air traveler. As in, “The
Transportation Security Administration’s new Secure Flight program will
require you to … (insert name of ridiculous new policy here).”
The question now isn’t what is Secure Flight. It’s, “what isn’t it?
Frank Perch got the following email from AirTran the other day, for example.
Recently, the Transportation Security Administration announced
changes to their watch list matching process called Secure Flight. The
mission of Secure Flight is to enhance the security of domestic and
international air travel through the use of improved watch list
matching. Another benefit will be greatly reduced incidents of
passengers being misidentified with names on the TSA’s watch lists.
<http://www.elliott.org/blog/is-the-tsa-trying-to-scare-me-into-providing-personal-information/>
He thought it was a scam.
The email does not exactly say, but strongly implies, that if I goof
up — if my name on the reservation does not exactly match the format on
my ID — that my ticket will not be valid.
My first reaction to this email was actually that it must be a
phishing email of some kind. Some crook is trying to scare me into
providing personal information. Yet the email seemed to pass many of the
usual phishing tests. I couldn’t find any spoofed hyperlinks for instance.
I was still suspicious though because none of the other airlines I
deal with was contacting me about this alleged requirement, which the
email says is effective TODAY, and also usually when there is something
important like that one would expect a bit of advance notice.
As it turns out, the email is legit, and so is the requirement. But
Perch’s note underscores the fact that there’s so much misinformation
about the new TSA policy, it’s amazing that air travel hasn’t ground to
a halt.
_________________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(r).
For Information please see http://www.spammertrap.com
_________________________________________________________________________
Re: southwest airlines sends out their own phishing email
Posted by Michael Scheidell <sc...@secnap.net>.
Benny Pedersen wrote:
> On fre 02 okt 2009 22:03:23 CEST, Michael Scheidell wrote
>> still doesn't answer, dkim signed, spf passes, all domains end in
>> .southwest.com
>
> then some using a smtp auth or hacked computer inside, or dkim-sign
> any mails ?
>
SUPPRIZE.. its legit folks.
SF phone lines, and web site have been swamped by people all day calling
to see if this was legit!
<http://www.blogsouthwest.com/blog/secure-flight-procedures>
(however, its STILL AN INSECURE HTTP BASED FORM ON A PARTNER SITE, A
PARTNER WHO IS A PERMISSION BASED EMAIL MARKETING COMPANY)
Bad, stupid, really stupid... go put your dunce cap on and sit in the
corner.
I believe that this attempt violated the TSA's privacy policies as well
(asking a third party to collect information over a non ssl encrypted,
non authenticated web site?)
_________________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(r).
For Information please see http://www.spammertrap.com
_________________________________________________________________________
Re: southwest airlines sends out their own phishing email
Posted by Benny Pedersen <me...@junc.org>.
On fre 02 okt 2009 22:03:23 CEST, Michael Scheidell wrote
> still doesn't answer, dkim signed, spf passes, all domains end in
> .southwest.com
then some using a smtp auth or hacked computer inside, or dkim-sign
any mails ?
send to abuse at theredomain dot tld, yes its a grey area where one
like me from outside cant do much other then tell them
--
xpoint
Re: southwest airlines sends out their own phishing email
Posted by Michael Scheidell <sc...@secnap.net>.
Benny Pedersen wrote:
> On fre 02 okt 2009 21:42:22 CEST, Michael Scheidell wrote
>> southwest's phone has a 1 hour hold time.
>
> nope, in time waiting do this "spamassassin 2>&1 -D -t msg | grep
> domain | less"
>
> what domains is listed ?, some trd party domains that does not use
> known nameserver ?, eg why would a airliner use another nameserver
> then a phisher ?
>
luv.southwest.com
> is some of the url listed on rbl ?
>
no
> any freemail in ?
>
no
> maybe stupid questions, but if you ask your self you will get the answer
>
still doesn't answer, dkim signed, spf passes, all domains end in
.southwest.com
_________________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(r).
For Information please see http://www.secnap.com/products/spammertrap/
_________________________________________________________________________
Re: southwest airlines sends out their own phishing email
Posted by Benny Pedersen <me...@junc.org>.
On fre 02 okt 2009 21:42:22 CEST, Michael Scheidell wrote
> southwest's phone has a 1 hour hold time.
nope, in time waiting do this "spamassassin 2>&1 -D -t msg | grep
domain | less"
what domains is listed ?, some trd party domains that does not use
known nameserver ?, eg why would a airliner use another nameserver
then a phisher ?
is some of the url listed on rbl ?
any freemail in ?
maybe stupid questions, but if you ask your self you will get the answer
--
xpoint
Re: southwest airlines sends out their own phishing email
Posted by Martin Gregorie <ma...@gregorie.org>.
On Fri, 2009-10-02 at 15:42 -0400, Michael Scheidell wrote:
> it REALLY looks like someone at southwest had this done.
>
> its stupid.. it encourages users to disclose private data over an
> insecure channel, and whoever authorized this (if its southwest) needs
> a LONG vacation.
>
Should somebody ask TSA if this is legitimate use of their name?
Martin
Re: southwest airlines sends out their own phishing email
Posted by Michael Scheidell <sc...@secnap.net>.
Steven W. Orr wrote:
> On 10/02/09 13:52, quoth Michael Scheidell:
>
>> not to be outdone by hackers and thieves, phishing for PPI, southwest
>> airlines is sending out their own DKIM signed, SPF PASSED, from their own
>> servers, their very own phishing email. (didn't one of the major banks do
>> something like this 3 years ago?)
>>
>
> I have no idea what the story is here but from what you say here, it's not
> clear whether responsys is a legitimate marketing company that was hired by
> southwest.
>
> For example:
> Then look at luv.southwest.com which has
>
>
but, southwest would need to subdeligate luv.southwest.com.
it REALLY looks like someone at southwest had this done.
its stupid.. it encourages users to disclose private data over an
insecure channel, and whoever authorized this (if its southwest) needs a
LONG vacation.
oh, and I checked our managed email servers? HUNDREDS AND HUNDREDS of
these emails are coming in to all our clients.
many to email addresses that no longer exist, but 99% to current, legit
emails.
other more interesting thing: the frequent flyer number? its real, and
it belongs to the recipients.
so, is this a phishing email I need to block? or legit email I need to
whitelist?
southwest's phone has a 1 hour hold time.
imagine that.
>
>
--
Michael Scheidell, CTO
Phone: 561-999-5000, x 1259
> *| *SECNAP Network Security Corporation
* Certified SNORT Integrator
* 2008-9 Hot Company Award Winner, World Executive Alliance
* Five-Star Partner Program 2009, VARBusiness
* Best Anti-Spam Product 2008, Network Products Guide
* King of Spam Filters, SC Magazine 2008
_________________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(r).
For Information please see http://www.spammertrap.com
_________________________________________________________________________
Re: southwest airlines sends out their own phishing email
Posted by "Steven W. Orr" <st...@syslang.net>.
On 10/02/09 13:52, quoth Michael Scheidell:
> not to be outdone by hackers and thieves, phishing for PPI, southwest
> airlines is sending out their own DKIM signed, SPF PASSED, from their own
> servers, their very own phishing email. (didn't one of the major banks do
> something like this 3 years ago?)
I have no idea what the story is here but from what you say here, it's not
clear whether responsys is a legitimate marketing company that was hired by
southwest.
For example:
southwest.com. 900 IN A 208.94.153.100
but the MX for southwest is
southwest.com. 900 IN MX 10 mail-1.southwest.com.
southwest.com. 900 IN MX 10 mail-2.southwest.com.
Then look at luv.southwest.com which has
luv.southwest.com. 90 IN A 12.130.131.30
but also has a reverse dns
30.131.130.12.in-addr.arpa. 3600 IN PTR luv.southwest.com.
Then the MX for luv says:
luv.southwest.com. 90 IN MX 20 imh2.rsys4.net.
luv.southwest.com. 90 IN MX 10 imh.rsys4.net.
which also happens to be ns1.responsys.net
Assuming responsys *is* legit, they could do a better job of reputation
management.
>
> all servers in the links are http (not https), and are on
> *.luv.southwest.com ip's. http://luv.southwest.com/servlet/cc6?(and some
> number that i erased) looks like ip is owned by 'Responsys'?
>
> host luv.southwest.com luv.southwest.com has address 12.130.131.30
> luv.southwest.com mail is handled by 20 imh2.rsys4.net. luv.southwest.com
> mail is handled by 10 imh.rsys4.net. mirror# whois 12.130.131.30 AT&T
> WorldNet Services ATT (NET-12-0-0-0-1) 12.0.0.0 - 12.255.255.255 CERFnet
> ATTENS-SJC1-2 (NET-12-130-128-0-1) 12.130.128.0 - 12.130.191.255 CI -
> Responsys SID-10369 ATTWH-12-130-131-0-24-0809094253 (NET-12-130-131-0-1)
> 12.130.131.0 - 12.130.131.255
>
> I looked up numbers on their web site.
>
> I called southwest. they say the hold time is between 45 mins and 1 hour
> and 6 mins. (i wonder why). I called responsys. phone doesn't even ring
> (800-624-5356)
>
> I won't post full body, because of all the web bugs in it it could lead to
> the account of the person who brought this to my attention, but for people
> I know, Imight share it.
>
> content of the email is a typical phishing email: does anyone know if TSA
> really wants the airlines to collect this information? *
>
> *Action Required: TSA Changes Require You To Update Your Account*
>
> *
>
> Dear Future victim of identify fraud[sic],
>
> Southwest Airlines has been working in cooperation with the TSA to
> introduce Secure Flight, a federally mandated program designed to help
> enhance the security of domestic and international commercial air travel
> through the use of improved watch list* matching.
>
>
>
> Southwest Airlines is therefore required to collect additional Secure
> Flight Passenger Data, which includes:
>
> * Your full name, exactly as it appears on the current (non-expired)
> government-issued photo ID that you will be traveling with * Date of birth
> * Gender * The TSA-issued Redress Number** (if applicable)
>
>
> here are headers. yep, dkim passed on my end (before I munged the headers)
>
> From - Fri Oct 2 13:27:11 2009 X-Mozilla-Status: 0001 X-Mozilla-Status2:
> 00000000 Received: from mx1.secnap.com.ionspam.net ([204.89.241.253]) by
> secnap3.secnap.com over TLS secured channel with Microsoft
> SMTPSVC(6.0.3790.3959); Fri, 2 Oct 2009 13:27:05 -0400 Received: from
> localhost (mx1.secnap.com.ionspam.net [204.89.241.253]) by
> mx1.secnap.com.ionspam.net (Postfix) with ESMTP id 936342B7C91 for
> <sp...@secnap.net>; Fri, 2 Oct 2009 13:27:05 -0400 (EDT) Received: from
> omp.luv.southwest.com (omp.luv.southwest.com [12.130.137.222]) by
> mx1.secnap.com.ionspam.net (Postfix) with ESMTP id BA8CE2B7C7B for
> <sp...@secnap.net>; Fri, 2 Oct 2009 13:27:03 -0400 (EDT)
> DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=southwest;
> d=luv.southwest.com;
> h=MIME-Version:Content-Type:Content-Transfer-Encoding:Date:From:Reply-To:Subject:List-Unsubscribe:To:Message-Id;
> i=RapidRewards@luv.southwest.com; bh=K9LTM4P8WM/e8CFLBk2b3E5eKKA=;
> b=CovqQo71dauGXRfa0/e/1yqWPkjJhNrrGITrt34DKCk2SfX8zTrbtcDFdmNabtnIAPvTbF982oUe
>
>
>
> VhYLXdl5uN7qDddhsDZ4Y2l7qa/4li0RXSWQIMPt8zCPCTL/2a1zMH7MsAOtGaucHkxhiHQMZwT9
>
>
> +rfozAHcpB98YHsdDLE= DomainKey-Signature: a=rsa-sha1; c=nofws; q=dns;
> s=southwest; d=luv.southwest.com;
> b=c4Y0HLpkWe1F5sC9DHPIDTgks95ippZeicmDIahk5M9ci+xT7iQUnzHqUncH6+Agtjf13Gwh8bKz
>
>
>
> h65VN0uzG/HChchBerQpH/3JrhkCzlkyyHJfnONEPc8njpeGDg/5BYqbASDCnzKHxs8WvCIlMcI9
>
>
> EqpTLSW7ZdrNYvrx3mE=; Received: by omp.luv.southwest.com (PowerMTA(TM)
> v3.5r10) id hoorue0morc3 for <sc...@secnap.net>; Fri, 2 Oct 2009
> 10:27:02 -0700 (envelope-from <Ra...@luv.southwest.com>)
> MIME-Version: 1.0 Content-Type: text/html; charset="UTF-8"
> Content-Transfer-Encoding: quoted-printable Date: Fri, 2 Oct 2009 10:27:01
> -0700 From: "Southwest Airlines Rapid Rewards"
> <Ra...@luv.southwest.com> Reply-To: "Southwest Airlines Rapid
> Rewards" <re...@luv.southwest.com> Subject: Important Notice: TSA Secure
> Flight List-Unsubscribe:
> http://luv.southwest.com?lPHpkDCABDVTElJoLpKLssFlLJgHiDgLmEa Return-Path:
> RapidRewards@luv.southwest.com X-OriginalArrivalTime: 02 Oct 2009
> 17:27:05.0688 (UTC) FILETIME=[8FDDF580:01CA4385]
--
Time flies like the wind. Fruit flies like a banana. Stranger things have .0.
happened but none stranger than this. Does your driver's license say Organ ..0
Donor?Black holes are where God divided by zero. Listen to me! We are all- 000
individuals! What if this weren't a hypothetical question?
steveo at syslang.net