All Vendors
email_marketing

Bounceban

Bounceban email validation service deploys consent bypass mechanisms during email verification workflows.

29 IOCs31 detections23% pre-consent30 sites
70
Vendor Risk Score

How This Briefing Works

This report opens with key findings, then maps the gaps between what Bounceban discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.

Key Findings

Key Findings

31 detections across 30 sites23% pre-consent activity
HIGH

Pre-Consent Activity

Bounceban was observed loading and executing before user consent was obtained on 23% of sites where it was detected.

GDPRePrivacy
Disclosure Gaps

Claims vs. Observed Behavior

1 gaps
Customer Impact

What This Means For You

Customers face GDPR Article 6 violations from pre-consent email processing. Risk is elevated if Bounceban retains email addresses for proprietary validation databases, creating secondary processing without consent.
Recommended Actions

What To Do About It

Role-specific actions based on observed behavior

If You Use Bounceban

  • Configure Bounceban to activate only after consent checkbox confirmation
  • Verify email validation occurs client-side before submission to minimize data transfer
  • Implement privacy-by-design form flows where consent precedes email capture

If You're Evaluating Bounceban

  • Request DPA confirming email addresses are not retained in Bounceban validation databases
  • Verify data retention period for validation requests
  • Assess alternative email validation services with consent-aware workflows

Negotiation Leverage

  • Bounceban consent bypass (BTI-C09) during validation creates pre-consent email processing—require technical controls to delay validation until after consent collection
  • Clarify whether validated emails are retained in Bounceban databases for training/improvement—demand contractual prohibition if not disclosed
  • Negotiate maximum 24-hour retention for validation requests with automated deletion
Runtime Detections

Runtime Detections

1 BTI-C CODES

BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.

BTI-C09Consent Bypass

Ignoring CMP signals

Impact: Initiates email validation processing before consent collection completes, creating automatic legal violations for email data handling.

IOC Manifest

IOC Manifest

20 INDICATORS

Indicators of compromise across 4 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.

TRACK
*bounceban.com/public/os/dist/js/main.js*
Tracking script
TRACK
bounceban.com/public/os/dist/js/main.min.js
Auto-extracted from scan
Ecosystem

Ecosystem & Supply Chain

Bounceban integrates with email marketing platforms and form builders to validate email addresses in real-time. Data flows include validation status, bounce risk scores, and email metadata to customer marketing automation systems.
Loads (1)
Tawkto
Evidence

Evidence Artifacts

Artifacts collected during analysis, available with evidence-tier access.

HAR Capture

Complete network capture with all requests and responses

IOC Manifest

29 detection signatures across scripts, domains, cookies, and network endpoints

Vendor Details