Chase Bank: Sending Transactional Email to a Spamtrap

Chase Bank simply doesn’t get it, or doesn’t care. Months after I reported that Chase was spamming email addresses that did not belong to live customers with marketing and transactional email messages, it is now sending transactional emails containing a customer name and information about account activity to yet another spamtrap. This email was sent directly from Chase’s own IPs.

This particular spamtrap has never been a real email address. The spam is almost certainly misdirected due to a typo, either by the customer or by a Chase employee manually inputting the email address. That typo would not have happened had Chase performed basic due diligence. You do that by confirming that the email address actually goes to your customer through a closed-loop confirmation.

Sending IP: 159.53.46.195

Spam Sample:

Actual Headers:

Received: from shvf3.jpmchase.com (shvf3.jpmchase.com [159.53.46.195])
        by <xxx> (Postfix) with ESMTP id <xxx>
        for <xxx>; Thu, 16 May 2013 18:xx:xx +0000 (UTC)
Received: from [127.0.0.1] ([169.111.6.13])
        by <xxx>.jpmchase.com (Sentrion-MTA-4.2.0/Sentrion-MTA-4.2.0) with ESMTP id <xxx>
        for <xxx>; Thu, 16 May 2013 14:##:## -0400
X-DKIM: OpenDKIM Filter v2.1.3 shvf3.jpmchase.com <xxx>
DKIM-Signature: <xxx>
From: "Chase Card Services" <Chase@emailinfo.chase.com>
Reply-To: Chase.<xxx>@emailinfo.chase.com
To: <xxx>
Subject: Thank you for scheduling your online payment
Date: Thu, 16 May 2013 14:xx:xx -0400
Message-ID: <<xxx>.Chase.<xxx>@emailinfo.chase.com>
X-Mailer: Kana Connect 10
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="<xxx>.MimeBoundarY"

Readable Email:

From: Chase Card Services <Chase@emailinfo.chase.com>
To: <spamtrap>
Subject: Thank you for scheduling your online payment
Reply-To: Chase.<xxx>@emailinfo.chase.com

Dear <xxx>,

Thank you for scheduling your recent credit card payment online. Your payment in the amount of $xxxx.xx will be credited to your credit card account (CREDIT CARD ) ending in (…xxxx ) on 05/xx/2013.

Now that you’re making your payment online, are you aware of all the convenient ways you can manage your account online?

Just log on to www.chase.com/creditcards today. Using the “I’d like to…” links for your credit card account, you can access more than a dozen features, including links to:

<removed>

E-mail Security Information

E-mail intended for your account ending in: xxxx.

If you are concerned about the authenticity of this message, please click here www.chase.com/ccp/index.jsp?pg_name=ccpmapp/shared/assets/page/fraud_information” or call the phone number on the back of your credit card. If you would like to learn more about e-mail security or want to report a suspicious e-mail, click here

www.chase.com/ccp/index.jsp?pg_name=ccpmapp/shared/assets/page/fraud_information

Note: If you are concerned about clicking links in this e-mail, the Chase Online services mentioned above can be accessed by typing www.chase.com/creditcards directly into your browser.

ABOUT THIS MESSAGE:

<removed>

Your personal information is protected by state-of-the-art technology. For more detailed security information, view our Online Privacy Policy here

www.chase.com/ccp/index.jsp?pg_name=ccpmapp/shared/assets/page/Privacy_Policy.

To request in writing:

Chase Privacy Operations, 451 Florida Street, Fourth Floor, LA2-9376, Baton Rouge,LA 70801

©2013 JPMorgan Chase & Co.

Leave a Reply

Go back to top