Who is Behind Job Spam?

If you have been in the job market, chances are that you have received a lot of "offers" from recruiters. Lots of times, these "offers" are for short-term contracts, in random places around your country. I thought I'd pick apart the email header, and share it here.

It's not uncommon to receive email from recruiters, especially through services where you have posted your resume. It happens, and most times, recruiters will stop emailing you if you ask. However, there are those that simply don't care about the number of emails that they send. Why is this bad? You, as the potential employee become inundanted with "offers" that don't apply to you, and you may miss one that does.

I received a message from "Dana" at Willis Group LLC in Huntington Beach, California this morning, for a 12 month contract position in Glendale. I received this message because "Dana" performed a keyword search for Active Directory on a service called JobDiva. Even though the one place that my resume is posted specifically points out that I am not open to contracts, nor am I open to relocation, she still sent me this message.

For those that don't know, JobDiva is a service that scrapes contact information and resumes from job boards such as Monster, Dice, Indeed, and The Ladders, and allows their subscribers to perform searches against this data for potential matches for positions that are open. Messages are then sent directly from the Job Diva servers to the target recipients. While this might seem like a great way to contact potential recruits, most times this method fails. Don't get me wrong, it can be a great method, if wielded correctly.

Unfortunately, most of the businesses that subscribe to the Job Diva service are (what appear to be) sweatshops in which mass emails are sent, based on one or two keywords, with no regard for requirements of either the employer or potential employee. This is a huge disservice to all parties, except Job Diva.

The employer loses out on potential recruits
The recruit gets inundated with spam, potentially overlooking valid offers
Even the spammer loses out, because people start filtering out their messages. No recruit, no bonus.

So the only winner is Job Diva, since the spammer is buying their service. Quite a racket, if you ask me.

I thought I would take a moment to share with the public how to spot this Job Diva spam. Even though the spam appears to be coming from a variety of different individuals or companies, Job Diva is the common factor behind most of them. I've copied the header out of the email I received this morning, and color coded certain pieces. Innocent bystander information has been changed or redacted, with only offenders information remaining intact. Why did I leave their information in place? Why not? I hope spam bots crawl all over this article, and pick up their information.

Use this information as you see fit.

Senders email address - This is the email address of the JobDiva subscriber that is sending the spam. If you hit "Reply" for the email, this is where it will go.

Internal IP address - Internal IP address on the JobDiva network that is sending the spam, or the server that is executing the mailmerge. Just an interesting bit of info that gives insight into the internal network at the service provider.

Originator "Signature" - These are the lines that are key in identifying JobDiva spam.

Domain Name - The smoking gun - this spam is coming from the JobDiva domain. You can try filtering on this, but sometimes a service provider can or will spoof this information. It doesn't happen much any more, since most receiving servers will perform reverse lookups to check the validity of the sending server.

Mailmerge server - Server name on the internal network that is performing mail merge operations. Another intersting tidbit from the internal network. Mail merge is a software operation describing the production of multiple (and potentially large numbers of) documents from a single template form and a structured data source. The letter may be sent out to many "recipients" with small changes, such as a change of address or a change in the greeting line. Basically, it is a form letter, with your personal information sprinkled in key places.

Source IP Address - This is the IP address of the JobDiva mail sender. You can use this info to filter mail from this sender, or report it to a Realtime Blackhole List (RBL).

x-store-info:sbevkl2QZR7OXo7WID5ZcdJYDvlIhT9R06+eUQgo/Ro=

Authentication-Results: redacted; spf=softfail (sender IP is redacted) smtp.mailfrom=smore@genuent.net; dkim=none header.d=genuent.net; x-hmca=fail header.id=smore@genuent.net

X-SID-PRA: smore@genuent.net

X-AUTH-Result: FAIL

X-SID-Result: FAIL

X-Message-Status: n:n

X-Message-Delivery: Vj0xLjE7dXM9MDtsPTA7YT0xO0Q9MTtHRD0xO1NDTD0w

X-Message-Info: gamVN+8Ez8V+RHg+F+brAdzwKaGMJ63BX76t+L766JDagmg9dXRuwzw5u6pNs6Z5yNJuR8TPsH3JvUFVmUhjrayrqUiVOgv7LkRMY5I6XatpAYwI+DDg/7Bg290iOtLbc+eIzCkjCAjWBnmjSzM8c23iJYJRiJH+LSdsHTQg/PE89YoFIp4PNwrossrMitlMaAqzN2iJogFu9ODVLwKuHmn88wvg6xxg

Received: from redacted ([redacted]) by COL004-MC1F20.redacted over TLS secured channel with Microsoft SMTPSVC(7.5.7601.23008);

	 Fri, 1 May 2015 10:08:00 -0700

Received: by redacted with SMTP id zk7so68463567lbb.0

        for <TargetEmailAddress>; Fri, 01 May 2015 10:08:00 -0700 (PDT)

X-Received: by 10.112.29.39 with SMTP id g7mr8951122lbh.1.1430500080048;

        Fri, 01 May 2015 10:08:00 -0700 (PDT)

Return-Path: <smore@genuent.net>

Received: from jobdivabk.com (jobdivabk.com. [66.111.12.234])

        by redacted with ESMTP id fh3si741962qcb.1.2015.05.01.10.07.59

        for <TargetEmailAddress>;

        Fri, 01 May 2015 10:07:59 -0700 (PDT)

Received-SPF: pass (redacted: domain of smore@genuent.net designates 66.111.12.234 as permitted sender) client-ip=66.111.12.234;

Authentication-Results: redacted;

       spf=pass (redacted: domain of smore@genuent.net designates 66.111.12.234 as permitted sender) smtp.mail=smore@genuent.net;

       dkim=pass header.i=@jobdivabk.com

DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=jdkey1; d=jobdivabk.com;

 h=Date:From:To:Message-ID:Subject:MIME-Version:Content-Type;

 bh=Xc5xxkfBSAn2WhQQQbemRbSXjjk=;

 b=tkZjQSiyq8Yv60U9CVOP04OOLJR+HR45WJHllPEAQ6POUsc9htomD/y5oTazIOKL6sTkqoq6f5cU

   O93MIHaCFZwStXuhYNM0mez+Wj7fhSCzSL0bYhk5iZPw/RVxQhCq+zKHTNWdFMuBBfHYHomqXFWN

   rC+vQJWq3MVoj8GZItk=

Received: from emailmerge1 (10.10.126.1) by jobdivabk.com id h8eot61ph64v for <TargetEmailAddress>; Fri, 1 May 2015 13:03:15 -0400 (envelope-from <smore@genuent.net>)

Date: Fri, 1 May 2015 13:07:59 -0400 (EDT)

From: "Shubhada(Dana) More" <smore@genuent.net>

To: TargetEmailAddress

Message-ID: <13681410.1003501430500079605.JavaMail.admin@emailmerge1>

Subject: Exchange Engineer--Active Directory and Security - 15-02583

MIME-Version: 1.0

Content-Type: multipart/mixed; 

	boundary="----=_Part_100476_32798589.1430500079604"

X-OriginalArrivalTime: 01 May 2015 17:08:00.0371 (UTC) FILETIME=[60A93430:01D08431]



------=_Part_100476_32798589.1430500079604

Content-Type: text/html; charset=utf-8

Content-Transfer-Encoding: 7bit

About this post

Posted: 2015-05-01
By: dwirch
Viewed: 5,390 times

Comments

AnonymousCoward posted this comment on 2016-06-13:

You can listen here how Indian outbound call centers are using JobDiva: https://soundcloud.com/user-295952651/jayanthi-chauhan-first-tek-discussing-use-of-jobdiva

dwirch posted this comment on 2016-06-13:

Thanks for posting this. These audio clips give a clear insight into how these guys operate. It's amazing to me that these can hide the truth from prospective applicants, and simply get away with it. Outright lying to people. Damn.

AnonymousCoward posted this comment on 2016-12-07:

This is useful but very too late , I was suffering about six months for receiving spamming email from jobdiva because , I am sorry but I didn't check the email inline to find the sender that's why it took me that long to figure it out. when I found it by one of the recruiters, I called job diva twice until they remove my name from their screwed database. I am so unhappy with what they do without job seekers permission ESPECIALLY even if you unsubscribe from email it will only unsubscribe you from their subscribers and member so you still receive bunch of emails on daily basis even if you have no resume in the net world. if I had time and that kind of money I would simply sue them.

AnonymousCoward posted this comment on 2017-01-19:

I have started to think it is also an AT&T application, either official and unpublicized or unofficial and underground. So many spam jobs I get seem to refer to something I've said in a cell phone conversation or searched online (i.e., I update a website and then receive web developer roles, I handle a financial matter then receive financial analyst roles, I get something shipped to the house and receive logistics positions, I mention a city in casual conversation and get roles based in that city). Web history is available in Apple & Google accounts, passwords have been stolen and published and all of this information could be accessed through a cell phone. It just seems strange to me that the economy is supposedly strong, unemployment is supposedly low yet most of what we get is spam. It just doesn't make sense.

AnonymousCoward posted this comment on 2021-01-04:

This is a great article! I have been harassed by JobDiva subscribers for years! They simply refuse to help me and delte my information. I am going to bring your information to the Federal Trade Commission and to my state's attorney general. I made a simple request for them to delete my data and they refused. I did not surrender my right to privacy to JobDiva and they are not above the law.

AnonymousCoward posted this comment on 2021-06-08:

Here's my current spam list... feel free to add your own:

pyramidci.com
softpath.net
e-solutionsinc.com
net2source.com
eteaminc.com
georgiait.com
ageatia.us
ubsolutions.com
agreeya.com
talentburst.com
genesis10.com
hanstaffing.com
artechinfo.com
idctechnologies.com
artech.com
ceipal.com
insigmainc.com
diverselynx.com
hiretalent.com
diversant.com
globalpharmatek.com
amiseq.com

AnonymousCoward posted this comment on 2022-03-07:

I got a few today (and over the last few weeks) which appear to be coming from JobDiva as well, but they are using the domain joboppforyou.com as well as/instead of jobdiva.com. There are still several references to JobDiva and it's an email template that looks exactly the same as all the other spammy recruiting firms, so it's pretty clear. I am seriously thinking about reporting this to the domain registrar as well....

You must be logged in to make a comment.