Who is Behind Job Spam?

By | 2015-05-01

If you have been in the job market, chances are that you have received a lot of “offers” from recruiters. Lots of times, these “offers” are for short-term contracts, in random places around your country. I thought I’d pick apart the email header, and share it here.

It’s not uncommon to receive email from recruiters, especially through services where you have posted your resume. It happens, and most times, recruiters will stop emailing you if you ask. However, there are those that simply don’t care about the number of emails that they send. Why is this bad? You, as the potential employee become inundanted with “offers” that don’t apply to you, and you may miss one that does.

I received a message from “Dana” at Willis Group LLC in Huntington Beach, California this morning, for a 12 month contract position in Glendale. I received this message because “Dana” performed a keyword search for Active Directory on a service called JobDiva. Even though the one place that my resume is posted specifically points out that I am not open to contracts, nor am I open to relocation, she still sent me this message.

For those that don’t know, JobDiva is a service that scrapes contact information and resumes from job boards such as Monster, Dice, Indeed, and The Ladders, and allows their subscribers to perform searches against this data for potential matches for positions that are open. Messages are then sent directly from the Job Diva servers to the target recipients. While this might seem like a great way to contact potential recruits, most times this method fails. Don’t get me wrong, it can be a great method, if wielded correctly.

Unfortunately, most of the businesses that subscribe to the Job Diva service are (what appear to be) sweatshops in which mass emails are sent, based on one or two keywords, with no regard for requirements of either the employer or potential employee. This is a huge disservice to all parties, except Job Diva.

  • The employer loses out on potential recruits
  • The recruit gets inundated with spam, potentially overlooking valid offers
  • Even the spammer loses out, because people start filtering out their messages. No recruit, no bonus.

So the only winner is Job Diva, since the spammer is buying their service. Quite a racket, if you ask me.

I thought I would take a moment to share with the public how to spot this Job Diva spam. Even though the spam appears to be coming from a variety of different individuals or companies, Job Diva is the common factor behind most of them. I’ve copied the header out of the email I received this morning, and color coded certain pieces. Innocent bystander information has been changed or redacted, with only offenders information remaining intact. Why did I leave their information in place? Why not? I hope spam bots crawl all over this article, and pick up their information.

Use this information as you see fit.

Senders email address – This is the email address of the JobDiva subscriber that is sending the spam. If you hit “Reply” for the email, this is where it will go.

Internal IP address – Internal IP address on the JobDiva network that is sending the spam, or the server that is executing the mailmerge. Just an interesting bit of info that gives insight into the internal network at the service provider.

Originator “Signature” – These are the lines that are key in identifying JobDiva spam.

Domain Name – The smoking gun – this spam is coming from the JobDiva domain. You can try filtering on this, but sometimes a service provider can or will spoof this information. It doesn’t happen much any more, since most receiving servers will perform reverse lookups to check the validity of the sending server.

Mailmerge server – Server name on the internal network that is performing mail merge operations. Another intersting tidbit from the internal network. Mail merge is a software operation describing the production of multiple (and potentially large numbers of) documents from a single template form and a structured data source. The letter may be sent out to many “recipients” with small changes, such as a change of address or a change in the greeting line. Basically, it is a form letter, with your personal information sprinkled in key places.

Source IP Address – This is the IP address of the JobDiva mail sender. You can use this info to filter mail from this sender, or report it to a Realtime Blackhole List (RBL).

x-store-info:sbevkl2QZR7OXo7WID5ZcdJYDvlIhT9R06+eUQgo/Ro=
Authentication-Results: redacted; spf=softfail (sender IP is redacted) smtp.mailfrom=smore@genuent.net; dkim=none header.d=genuent.net; x-hmca=fail header.id=smore@genuent.net
X-SID-PRA: smore@genuent.net
X-AUTH-Result: FAIL
X-SID-Result: FAIL
X-Message-Status: n:n
X-Message-Delivery: Vj0xLjE7dXM9MDtsPTA7YT0xO0Q9MTtHRD0xO1NDTD0w
X-Message-Info: gamVN+8Ez8V+RHg+F+brAdzwKaGMJ63BX76t+L766JDagmg9dXRuwzw5u6pNs6Z5yNJuR8TPsH3JvUFVmUhjrayrqUiVOgv7LkRMY5I6XatpAYwI+DDg/7Bg290iOtLbc+eIzCkjCAjWBnmjSzM8c23iJYJRiJH+LSdsHTQg/PE89YoFIp4PNwrossrMitlMaAqzN2iJogFu9ODVLwKuHmn88wvg6xxg
Received: from redacted ([redacted]) by COL004-MC1F20.redacted over TLS secured channel with Microsoft SMTPSVC(7.5.7601.23008);
Fri, 1 May 2015 10:08:00 -0700
Received: by redacted with SMTP id zk7so68463567lbb.0
for <TargetEmailAddress>; Fri, 01 May 2015 10:08:00 -0700 (PDT)
X-Received: by 10.112.29.39 with SMTP id g7mr8951122lbh.1.1430500080048;
Fri, 01 May 2015 10:08:00 -0700 (PDT)
Return-Path: <smore@genuent.net>
Received: from jobdivabk.com (jobdivabk.com. [66.111.12.234])
by redacted with ESMTP id fh3si741962qcb.1.2015.05.01.10.07.59
for <TargetEmailAddress>;
Fri, 01 May 2015 10:07:59 -0700 (PDT)
Received-SPF: pass (redacted: domain of smore@genuent.net designates 66.111.12.234 as permitted sender) client-ip=66.111.12.234;
Authentication-Results: redacted;
spf=pass (redacted: domain of smore@genuent.net designates 66.111.12.234 as permitted sender) smtp.mail=smore@genuent.net;
dkim=pass header.i=@jobdivabk.com
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=jdkey1; d=jobdivabk.com;
h=Date:From:To:Message-ID:Subject:MIME-Version:Content-Type;
bh=Xc5xxkfBSAn2WhQQQbemRbSXjjk=;
b=tkZjQSiyq8Yv60U9CVOP04OOLJR+HR45WJHllPEAQ6POUsc9htomD/y5oTazIOKL6sTkqoq6f5cU
O93MIHaCFZwStXuhYNM0mez+Wj7fhSCzSL0bYhk5iZPw/RVxQhCq+zKHTNWdFMuBBfHYHomqXFWN
rC+vQJWq3MVoj8GZItk=
Received: from emailmerge1 (10.10.126.1) by jobdivabk.com id h8eot61ph64v for <TargetEmailAddress>; Fri, 1 May 2015 13:03:15 -0400 (envelope-from <smore@genuent.net>)
Date: Fri, 1 May 2015 13:07:59 -0400 (EDT)
From: "Shubhada(Dana) More" <smore@genuent.net>
To: TargetEmailAddress
Message-ID: <13681410.1003501430500079605.JavaMail.admin@emailmerge1>
Subject: Exchange Engineer--Active Directory and Security - 15-02583
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_Part_100476_32798589.1430500079604"
X-OriginalArrivalTime: 01 May 2015 17:08:00.0371 (UTC) FILETIME=[60A93430:01D08431]

------=_Part_100476_32798589.1430500079604
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: 7bit

Author: dwirch

Derek Wirch is a seasoned IT professional with an impressive career dating back to 1986. He brings a wealth of knowledge and hands-on experience that is invaluable to those embarking on their journey in the tech industry.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.