southwest airlines sends out their own phishing email

[Michael Scheidell]

not to be outdone by hackers and thieves, phishing for PPI, southwest 
airlines is sending out their own DKIM signed, SPF PASSED, from their 
own servers, their very own phishing email. (didn't one of the major 
banks do something like this 3 years ago?)

all servers in the links are http (not https), and are on 
*.luv.southwest.com ip's.
http://luv.southwest.com/servlet/cc6?(and some number that i erased)
looks like ip is owned by 'Responsys'?
host luv.southwest.com
luv.southwest.com has address 12.130.131.30
luv.southwest.com mail is handled by 20 imh2.rsys4.net.
luv.southwest.com mail is handled by 10 imh.rsys4.net.
mirror# whois 12.130.131.30
AT&T WorldNet Services ATT (NET-12-0-0-0-1)
                                 12.0.0.0 - 12.255.255.255
CERFnet ATTENS-SJC1-2 (NET-12-130-128-0-1)
                                 12.130.128.0 - 12.130.191.255
CI - Responsys SID-10369 ATTWH-12-130-131-0-24-0809094253 
(NET-12-130-131-0-1)
                                 12.130.131.0 - 12.130.131.255

I looked up numbers on their web site.

I called southwest.  they say the hold time is between 45 mins and 1 
hour and 6 mins.  (i wonder why).
I called responsys.  phone doesn't even ring (800-624-5356)

I won't post full body, because of all the web bugs in it it could lead 
to the account of the person who brought this to my attention, but for 
people I know, Imight share it.

content of the email is a typical phishing email:
does anyone know if TSA really wants the airlines to collect this 
information?
*

*Action Required: TSA Changes Require You To Update Your Account*

*

Dear Future victim of identify fraud[sic],

Southwest Airlines has been working in cooperation with the TSA to 
introduce Secure Flight, a federally mandated program designed to help 
enhance the security of domestic and international commercial air travel 
through the use of improved watch list* matching.



Southwest Airlines is therefore required to collect additional Secure 
Flight Passenger Data, which includes:

   * Your full name, exactly as it appears on the current (non-expired)
     government-issued photo ID that you will be traveling with
   * Date of birth
   * Gender
   * The TSA-issued Redress Number** (if applicable)


here are headers.
yep, dkim passed on my end (before I munged the headers)

From - Fri Oct  2 13:27:11 2009
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Received: from mx1.secnap.com.ionspam.net ([204.89.241.253]) by 
secnap3.secnap.com over TLS secured channel with Microsoft 
SMTPSVC(6.0.3790.3959);
    Fri, 2 Oct 2009 13:27:05 -0400
Received: from localhost (mx1.secnap.com.ionspam.net [204.89.241.253])
   by mx1.secnap.com.ionspam.net (Postfix) with ESMTP id 936342B7C91
   for <spamt...@secnap.net>; Fri,  2 Oct 2009 13:27:05 -0400 (EDT)
Received: from omp.luv.southwest.com (omp.luv.southwest.com 
[12.130.137.222])
   by mx1.secnap.com.ionspam.net (Postfix) with ESMTP id BA8CE2B7C7B
   for <spamt...@secnap.net>; Fri,  2 Oct 2009 13:27:03 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=southwest; 
d=luv.southwest.com;
h=MIME-Version:Content-Type:Content-Transfer-Encoding:Date:From:Reply-To:Subject:List-Unsubscribe:To:Message-Id; 
i=rapidrewa...@luv.southwest.com;
bh=K9LTM4P8WM/e8CFLBk2b3E5eKKA=;
b=CovqQo71dauGXRfa0/e/1yqWPkjJhNrrGITrt34DKCk2SfX8zTrbtcDFdmNabtnIAPvTbF982oUe
  
VhYLXdl5uN7qDddhsDZ4Y2l7qa/4li0RXSWQIMPt8zCPCTL/2a1zMH7MsAOtGaucHkxhiHQMZwT9
  +rfozAHcpB98YHsdDLE=
DomainKey-Signature: a=rsa-sha1; c=nofws; q=dns; s=southwest; 
d=luv.southwest.com;
b=c4Y0HLpkWe1F5sC9DHPIDTgks95ippZeicmDIahk5M9ci+xT7iQUnzHqUncH6+Agtjf13Gwh8bKz
  
h65VN0uzG/HChchBerQpH/3JrhkCzlkyyHJfnONEPc8njpeGDg/5BYqbASDCnzKHxs8WvCIlMcI9
  EqpTLSW7ZdrNYvrx3mE=;
Received: by omp.luv.southwest.com (PowerMTA(TM) v3.5r10) id 
hoorue0morc3 for <scheid...@secnap.net>; Fri, 2 Oct 2009 10:27:02 -0700 
(envelope-from <rapidrewa...@luv.southwest.com>)
MIME-Version: 1.0
Content-Type: text/html;
   charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Date: Fri, 2 Oct 2009 10:27:01 -0700
From: "Southwest Airlines Rapid Rewards" <rapidrewa...@luv.southwest.com>
Reply-To: "Southwest Airlines Rapid Rewards" <re...@luv.southwest.com>
Subject: Important Notice: TSA Secure Flight
List-Unsubscribe: 
http://luv.southwest.com?lPHpkDCABDVTElJoLpKLssFlLJgHiDgLmEa
Return-Path: rapidrewa...@luv.southwest.com
X-OriginalArrivalTime: 02 Oct 2009 17:27:05.0688 (UTC) 
FILETIME=[8FDDF580:01CA4385]
--
Michael Scheidell, CTO
Phone: 561-999-5000, x 1259
> *| *SECNAP Network Security Corporation

   * Certified SNORT Integrator
   * 2008-9 Hot Company Award Winner, World Executive Alliance
   * Five-Star Partner Program 2009, VARBusiness
   * Best Anti-Spam Product 2008, Network Products Guide
   * King of Spam Filters, SC Magazine 2008

_________________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(r). 
For Information please see http://www.spammertrap.com
_________________________________________________________________________