Citibank: Emailing Sensitive Private Credit Card Information to a Spamtrap

First Chase Bank sent marketing emails that contained personal names and credit card information to spamtraps. Now Citibank is doing the same thing. Today Citibank sent a bulk marketing email to an email address that, if it ever existed at all, has been closed since 2007. The email contained a name and the last four digits of a credit card number. Either Citibank is deliberately including made-up “customer” information to make bulk marketing email look more legitimate (which I doubt), or Citibank has badly mismanaged its customer list *AND* (worse) is including sensitive personal information in marketing emails that are going to unconfirmed and incorrect email addresses. The ESP is Epsilon Interactive via its ESP Bigfoot Interactive.

Sending IP:

Spam Sample:

Actual Headers:

Received: from ( [])
        by <xxx> (Postfix) with ESMTP id <xxx>
        for <xxx>; Mon, 21 Nov 2011 12:xx:xx -0600 (CST)
DKIM-Signature: <xxx>
DomainKey-Signature: <xxx>
Received: from [192.168.xx.xx] ([192.168.xx.xx:xx] helo=<xxx>)
        by <xxx> (envelope-from <<xxx>>)
        (ecelerity r(<xxx>)) with ESMTP
        id <xxx>; Mon, 21 Nov 2011 13:xx:xx -0500
Reply-To: =?iso-8859-1?B?<xxx>=?= <1<xxx>>
Bounces_to: citicards.<xxx>
Message-ID: <<xxx>>
X-SS: <xxx>
X-BFI: <xxx>
Date: Mon, 21 Nov 2011 13:xx:xx EST
From: =?iso-8859-1?B?<xxx>==?= <>
Subject: Up to $250 back on purchases - a benefit of your Citi Card
To: <xxx>
MIME-Version: 1.0
Content-Type: multipart/alternative;

Readable Email:

From: <xxx> <>
To: <spamtrap>
Subject: Up to $250 back on purchases – a benefit of your Citi Card
Reply-To: <xxx> <1<xxx>>


Add to your address book to ensure delivery.

Cardmember: <xxx>
Account Ending In: <xxx>
Member Since: <xxx>

Please visit the following link to view your message:<xxx>


This is a message from Citi Cards. If you’d like to refine the types of email messages you receive, or if you’d prefer to stop receiving email from us, please go to:<xxx>

Citibank manages email preferences by line of business. Changing your email preferences with Citi Cards does not change your email preferences for messages from Citibank’s other businesses which include retail
branch banking among others.

Should you want to contact us in writing concerning this email, please direct your correspondence to:

Citibank, N.A. Customer Service
P.O. Box 6500
Sioux Falls, SD 57117

2 Responses to Citibank: Emailing Sensitive Private Credit Card Information to a Spamtrap

  1. Today I received a spam report from a long-time user of my old spam filter (the SpamBouncer) indicating that Citibank had also sent a mailing to an old/closed email address associated with a Sears credit card that a family member has or used to have. That email also contained the name and last four digits of the credit card number. (Citibank manages Sears credit cards.)

    Years ago I had a Citibank card. I got rid of it for other reasons, but if I had not, this would be sufficient reason to do so. :/

  2. Pingback: Citibank: Sending “Thank You” Reward Emails to 8-Years-Dead Spamtrap! » MainSleaze

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Go back to top