Fake mailing reports using mail service on [URL : mail-txn.identity.com]

Researcher discovered an unused subdomain that served as an alias for Mandrill's third-party transactional email service. Mandrill's relay server could be used to send bounceback/failed delivery messages to an arbitrary "sender", although the contents of the message itself are limited to Mandrill's pre-set bounceback template. As the vulnerability is not in a service that we operate, we removed the unused subdomain.