Dec
07

Bank of America: Transactional Email to a Spamtrap :(

Bank of America is sending non-bulk transactional emails to an email address that was closed in 2008, and that subsequently rejected all email for a period of over a year before being re-enabled as a spamtrap. The email contains a customer name and the last four digits of a credit card number. :/ This is not spam; the email was not bulk. However, if Bank of America were paying attention to bounces, it should long since have realized that this email address was not receiving its notifications. Bank of America needs to verify its customer list NOW to fix this security breach. The ESP is ExactTarget.

Sending IP: 68.232.194.4

Spam Sample:

Actual Headers:

Received: from emcom.bankofamerica.com (mta.emcom.bankofamerica.com [68.232.194.4])
        by <xxx> (Postfix) with ESMTP id <xxx>
        for <xxx>; Tue,  6 Dec 2011 16:xx:xx -0600 (CST)
DKIM-Signature: <xxx>
DomainKey-Signature: <xxx>
Received: by emcom.bankofamerica.com (PowerMTA(TM) v3.5r15) id <xxx> 
        for <xxx>; Tue, 6 Dec 2011 16:xx:xx -0600 
        (envelope-from <bounce-<xxx>@bounce.emcom.bankofamerica.com>)
From: "Bank of America" <customerservice@emcom.bankofamerica.com>
To: <xxx>
Subject: Information about your credit card
Date: Tue, 06 Dec 2011 16:xx:xx -0600
MIME-Version: 1.0
Reply-To: "Bank of America" <reply-<xxx>@emcom.bankofamerica.com>
x-job: <xxx>
Message-ID: <xxx>
Content-Type: multipart/alternative;
        boundary="<xxx>"

Readable Email:

From: Bank of America <customerservice@emcom.bankofamerica.com>
To: <spamtrap>
Subject: Information about your credit card
Reply-To: Bank of America <reply-<xxx>@emcom.bankofamerica.com>

Exclusively for: <xxx>

Account ending in <xxx>

—– We’ve sent you a new credit card. —–

Thank you for continuing to be a Bank of America(R)
customer. We want to let you know that a new card for
your existing account has been mailed to you and should
be arriving shortly. This will replace your current card.
Once your new card arrives, you’ll be able to access many
online resources that will help make using it easier and
more convenient.

For instance, you can activate your card online. Also, you
can always access your account on your schedule, plus pay
your bill online when you enroll in Online Banking for your
credit card. If you are already enrolled, it’s easy to
sign in.

Activate your card:
http://click.emcom.bankofamerica.com/?<xxx>

<removed>

Email Preferences

This is a service email from Bank of America. Please note
that you may receive service email in accordance with your
Bank of America service agreements, whether or not you elect
to receive promotional email.

One Response to Bank of America: Transactional Email to a Spamtrap :(

  1. Pingback: Bank of America: Sending Customer Satisfaction Surveys to a Spamtrap » MainSleaze

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Go back to top