Chase Bank: Sending Transactional Email to a Spamtrap

Chase Bank simply doesn’t get it, or doesn’t care. Months after I reported that Chase was spamming email addresses that did not belong to live customers with marketing and transactional email messages, it is now sending transactional emails containing a customer name and information about account activity to yet another spamtrap. This email was sent directly from Chase’s own IPs.

This particular spamtrap has never been a real email address. The spam is almost certainly misdirected due to a typo, either by the customer or by a Chase employee manually inputting the email address. That typo would not have happened had Chase performed basic due diligence. You do that by confirming that the email address actually goes to your customer through a closed-loop confirmation.

Sending IP:

Spam Sample:

Actual Headers:

Received: from ( [])
        by <xxx> (Postfix) with ESMTP id <xxx>
        for <xxx>; Thu, 16 May 2013 18:xx:xx +0000 (UTC)
Received: from [] ([])
        by <xxx> (Sentrion-MTA-4.2.0/Sentrion-MTA-4.2.0) with ESMTP id <xxx>
        for <xxx>; Thu, 16 May 2013 14:##:## -0400
X-DKIM: OpenDKIM Filter v2.1.3 <xxx>
DKIM-Signature: <xxx>
From: "Chase Card Services" <>
Reply-To: Chase.<xxx>
To: <xxx>
Subject: Thank you for scheduling your online payment
Date: Thu, 16 May 2013 14:xx:xx -0400
Message-ID: <<xxx>.Chase.<xxx>>
X-Mailer: Kana Connect 10
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="<xxx>.MimeBoundarY"

Readable Email:

From: Chase Card Services <>
To: <spamtrap>
Subject: Thank you for scheduling your online payment
Reply-To: Chase.<xxx>

Dear <xxx>,

Thank you for scheduling your recent credit card payment online. Your payment in the amount of $xxxx.xx will be credited to your credit card account (CREDIT CARD ) ending in (…xxxx ) on 05/xx/2013.

Now that you’re making your payment online, are you aware of all the convenient ways you can manage your account online?

Just log on to today. Using the “I’d like to…” links for your credit card account, you can access more than a dozen features, including links to:


E-mail Security Information

E-mail intended for your account ending in: xxxx.

If you are concerned about the authenticity of this message, please click here” or call the phone number on the back of your credit card. If you would like to learn more about e-mail security or want to report a suspicious e-mail, click here

Note: If you are concerned about clicking links in this e-mail, the Chase Online services mentioned above can be accessed by typing directly into your browser.



Your personal information is protected by state-of-the-art technology. For more detailed security information, view our Online Privacy Policy here

To request in writing:

Chase Privacy Operations, 451 Florida Street, Fourth Floor, LA2-9376, Baton Rouge,LA 70801

©2013 JPMorgan Chase & Co.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Go back to top