Chase Bank: A Spamtrap is “an Amazon.com Business Rewards Visa cardmember”?

Chase Bank is sending advertising emails to an email address that has been closed for many years, claiming that the owner is “an Amazon.com Business Rewards Visa cardmember”. The ESP is Acxiom Digital.

This is really bad, for reasons that have little to do with spam itself. I wish that Chase had just bought an e-pended list or hired an e-pender, and was just blasting spam at hapless email addresses who had no idea why they were receiving that email. However, the email that I am reporting, although a bulk advertising email, also contained specific sensitive personal information that is not associated with the spamtrap email address, but that I strongly suspect *is* associated with a real human being who has a real Chase credit card. :/ Chase clearly either does not confirm email addresses associated with actual credit card accounts, or ignores bounces.

In either case, Chase’s poor email management processes have led to a security breach. What are the security implications for Chase customers?

Sending IP: 67.59.179.33

Spam Sample:

Actual Headers:

Received: from client-h-33.delivery.net (client-h-33.delivery.net [67.59.179.33])
        by <xxx> (Postfix) with ESMTP id <xxx>
        for <xxx>; Tue, 15 Nov 2011 12:xx:xx -0600 (CST)
DomainKey-Signature: <xxx>
DKIM-Signature: <xxx>
Received: from [209.11.xx.xx] ([209.11.xx.xx:xx] helo=<xxx>)
        by <xxx> (envelope-from <Chase@emails.chase.com>)
        (ecelerity 2.2.3.46 r(<xxx>)) with ESMTP
        id <xxx>; Tue, 15 Nov 2011 10:xx:xx -0800
Date: Tue, 15 Nov 2011 10:xx:xx -0800 (PST)
From: "Amazon.com Rewards Visa Card" <Chase@emails.chase.com>
Reply-to: Chase@emails.chase.com
To: <xxx>
Message-ID: <xxx>
Subject: Cardmember Exclusive: Earn 10 points for every $1 spent on digital downloads at Amazon.com
Errors-to: Chase@emails.chase.com
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="---=<xxx>"
X-eid: <xxx>
X-pid: <xxx>

Readable Email:

From: Amazon.com Rewards Visa Card <Chase@emails.chase.com>
To: <spamtrap>
Subject: Cardmember Exclusive: Earn 10 points for every $1 spent on digital downloads at Amazon.com
Reply-to: Chase@emails.chase.com

You are receiving this e-mail because you are an Amazon.com Business Rewards Visa cardmember.

An exclusive offer just for cardmembers. Earn 10 points for every $1 spent on all digital download purchases at Amazon.com.

View in your web browser.
http://chaseamazon.r.delivery.net/r/r?<xxx>

<removed>

E-mail Security Information
E-mail intended for: <xxx>.
For your account ending in: <xxx>.

If you are concerned about the authenticity of this message, please click the link below or call the phone number on the back of your credit card and reference the Chase Library Code: <xxx>.
http://chaseamazon.r.delivery.net/r/r?<xxx>

<removed>

Note: If you are concerned about clicking links in this e-mail, the Chase Online services mentioned above can be accessed by typing chase.com/creditcards directly into your browser.

3 Responses to Chase Bank: A Spamtrap is “an Amazon.com Business Rewards Visa cardmember”?

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Go back to top