Who is Behind Job Spam?

Posted On 2015-05-01 by dwirch
Tags: Blog Email Security 
Views: 3842

If you have been in the job market, chances are that you have received a lot of "offers" from recruiters. Lots of times, these "offers" are for short-term contracts, in random places around your country. I thought I'd pick apart the email header, and share it here.

It's not uncommon to receive email from recruiters, especially through services where you have posted your resume. It happens, and most times, recruiters will stop emailing you if you ask. However, there are those that simply don't care about the number of emails that they send. Why is this bad? You, as the potential employee become inundanted with "offers" that don't apply to you, and you may miss one that does.

I received a message from "Dana" at Willis Group LLC in Huntington Beach, California this morning, for a 12 month contract position in Glendale. I received this message because "Dana" performed a keyword search for Active Directory on a service called JobDiva. Even though the one place that my resume is posted specifically points out that I am not open to contracts, nor am I open to relocation, she still sent me this message.

For those that don't know, JobDiva is a service that scrapes contact information and resumes from job boards such as Monster, Dice, Indeed, and The Ladders, and allows their subscribers to perform searches against this data for potential matches for positions that are open. Messages are then sent directly from the Job Diva servers to the target recipients. While this might seem like a great way to contact potential recruits, most times this method fails. Don't get me wrong, it can be a great method, if wielded correctly.

Unfortunately, most of the businesses that subscribe to the Job Diva service are (what appear to be) sweatshops in which mass emails are sent, based on one or two keywords, with no regard for requirements of either the employer or potential employee. This is a huge disservice to all parties, except Job Diva.

  • The employer loses out on potential recruits
  • The recruit gets inundated with spam, potentially overlooking valid offers
  • Even the spammer loses out, because people start filtering out their messages. No recruit, no bonus.

So the only winner is Job Diva, since the spammer is buying their service. Quite a racket, if you ask me.

I thought I would take a moment to share with the public how to spot this Job Diva spam. Even though the spam appears to be coming from a variety of different individuals or companies, Job Diva is the common factor behind most of them. I've copied the header out of the email I received this morning, and color coded certain pieces. Innocent bystander information has been changed or redacted, with only offenders information remaining intact. Why did I leave their information in place? Why not? I hope spam bots crawl all over this article, and pick up their information.

Use this information as you see fit.

Senders email address - This is the email address of the JobDiva subscriber that is sending the spam. If you hit "Reply" for the email, this is where it will go.

Internal IP address - Internal IP address on the JobDiva network that is sending the spam, or the server that is executing the mailmerge. Just an interesting bit of info that gives insight into the internal network at the service provider.

Originator "Signature" - These are the lines that are key in identifying JobDiva spam.

Domain Name - The smoking gun - this spam is coming from the JobDiva domain. You can try filtering on this, but sometimes a service provider can or will spoof this information. It doesn't happen much any more, since most receiving servers will perform reverse lookups to check the validity of the sending server.

Mailmerge server - Server name on the internal network that is performing mail merge operations. Another intersting tidbit from the internal network. Mail merge is a software operation describing the production of multiple (and potentially large numbers of) documents from a single template form and a structured data source. The letter may be sent out to many "recipients" with small changes, such as a change of address or a change in the greeting line. Basically, it is a form letter, with your personal information sprinkled in key places.

Source IP Address - This is the IP address of the JobDiva mail sender. You can use this info to filter mail from this sender, or report it to a Realtime Blackhole List (RBL).

Authentication-Results: redacted; spf=softfail (sender IP is redacted) smtp.mailfrom=smore@genuent.net; dkim=none header.d=genuent.net; x-hmca=fail header.id=smore@genuent.net
X-SID-PRA: smore@genuent.net
X-SID-Result: FAIL
X-Message-Status: n:n
X-Message-Delivery: Vj0xLjE7dXM9MDtsPTA7YT0xO0Q9MTtHRD0xO1NDTD0w
X-Message-Info: gamVN+8Ez8V+RHg+F+brAdzwKaGMJ63BX76t+L766JDagmg9dXRuwzw5u6pNs6Z5yNJuR8TPsH3JvUFVmUhjrayrqUiVOgv7LkRMY5I6XatpAYwI+DDg/7Bg290iOtLbc+eIzCkjCAjWBnmjSzM8c23iJYJRiJH+LSdsHTQg/PE89YoFIp4PNwrossrMitlMaAqzN2iJogFu9ODVLwKuHmn88wvg6xxg
Received: from redacted ([redacted]) by COL004-MC1F20.redacted over TLS secured channel with Microsoft SMTPSVC(7.5.7601.23008);
Fri, 1 May 2015 10:08:00 -0700
Received: by redacted with SMTP id zk7so68463567lbb.0
for <TargetEmailAddress>; Fri, 01 May 2015 10:08:00 -0700 (PDT)
X-Received: by with SMTP id g7mr8951122lbh.1.1430500080048;
Fri, 01 May 2015 10:08:00 -0700 (PDT)
Return-Path: <smore@genuent.net>
Received: from jobdivabk.com (jobdivabk.com. [])
by redacted with ESMTP id fh3si741962qcb.1.2015.
for <TargetEmailAddress>;
Fri, 01 May 2015 10:07:59 -0700 (PDT)
Received-SPF: pass (redacted: domain of smore@genuent.net designates as permitted sender) client-ip=;
Authentication-Results: redacted;
spf=pass (redacted: domain of smore@genuent.net designates as permitted sender) smtp.mail=smore@genuent.net;
dkim=pass header.i=@jobdivabk.com
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=jdkey1; d=jobdivabk.com;
Received: from emailmerge1 ( by jobdivabk.com id h8eot61ph64v for <TargetEmailAddress>; Fri, 1 May 2015 13:03:15 -0400 (envelope-from <smore@genuent.net>)
Date: Fri, 1 May 2015 13:07:59 -0400 (EDT)
From: "Shubhada(Dana) More" <smore@genuent.net>
To: TargetEmailAddress
Message-ID: <13681410.1003501430500079605.JavaMail.admin@emailmerge1>
Subject: Exchange Engineer--Active Directory and Security - 15-02583
MIME-Version: 1.0
Content-Type: multipart/mixed;
X-OriginalArrivalTime: 01 May 2015 17:08:00.0371 (UTC) FILETIME=[60A93430:01D08431]

Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: 7bit

About the Author

has posted a total of 193 articles.

Comments On This Post

By: AnonymousCoward
Date: 2016-06-13

You can listen here how Indian outbound call centers are using JobDiva: https://soundcloud.com/user-295952651/jayanthi-chauhan-first-tek-discussing-use-of-jobdiva

By: dwirch
Date: 2016-06-13

Thanks for posting this. These audio clips give a clear insight into how these guys operate. It's amazing to me that these can hide the truth from prospective applicants, and simply get away with it.  Outright lying to people.  Damn.

By: AnonymousCoward
Date: 2016-12-07

This is useful but very too late , I was suffering about six months for receiving spamming email from jobdiva because , I am sorry but I didn't check the email inline to find the sender that's why it took me that long to figure it out. when I found it by one of the recruiters, I called job diva twice until they remove my name from their screwed database. I am so unhappy with what they do without job seekers permission ESPECIALLY even if you unsubscribe from email it will only unsubscribe you from their subscribers and member so you still receive bunch of emails on daily basis even if you have no resume in the net world. if I had time and that kind of money I would simply sue them.

By: AnonymousCoward
Date: 2017-01-19

I have started to think it is also an AT&T application, either official and unpublicized or unofficial and underground. So many spam jobs I get seem to refer to something I've said in a cell phone conversation or searched online (i.e., I update a website and then receive web developer roles, I handle a financial matter then receive financial analyst roles, I get something shipped to the house and receive logistics positions, I mention a city in casual conversation and get roles based in that city). Web history is available in Apple & Google accounts, passwords have been stolen and published and all of this information could be accessed through a cell phone. It just seems strange to me that the economy is supposedly strong, unemployment is supposedly low yet most of what we get is spam. It just doesn't make sense.


Do you have a thought relating to this post? You can post your comment here. If you have an unrelated question, you can use the Q&A section to ask it.

Or you can drop a note to the administrators if you're not sure where you should post.

Your IP address is:

Before you can post, you need to prove you are human. If you log in, this test goes away.

Code Links