It’s hard enough finding meaningful employment these days without dealing with resume thieves, and unscrupulous offshore companies. I used to think that it was only the indian (intentionally not capitalized) recruiters who were flagrant frauds, but it seems that the scam artists are now sitting on the beach, sipping mojitos, while running conning job searchers. Recently, I answered an ad for a Delphi position in Austin Texas posted on www.dice.com. There always seems to be a Delphi requirement in Austin, however the shady, offshore, way away, in Bangalore Punjabi scammers of Encora usually are the guilty party so I wasn’t immediately alarmed.
I submitted a resume and cover letter, then groaned inwardly when I learned the company had an offshore headquarters. But, it was located in Costa Rica so it should be okay—right? I was further reassured when first I spoke to a very nice lady (good English) and an account manager (who also spoke good English.) after our conversation the manager asked for a Word-formatted version of my resume since I always send resumes as .pdf files (and you should too.) The manager said that he wanted his team to make some adjustments to it and would email me the revised version before sending it off to the client. His excuse sounded reasonable so I assented and sent him the requested document.
Everything sounded good. Well, as good as it gets in this job market anyway.
A couple of days passed; I heard nothing back from the company about my ‘revised’ resume but I did receive several job-scam emails from curiously enough Costa Rica. Also, curiously I still hadn’t heard back from the company nor were they returning my emails. In an extraordinary lapse of my usual proclivity towards suspicion, I passed the email off as a mere coincidence that days before I was corresponding with what I thought was a legitimate business from Costa Rica and now I was getting spam from Costa Rica. After all, according to my latest self-given tarot reading, I’m supposed align more with the element of Water and thus nurture a more loving and trusting attitude toward people.
Screw that.
I still like my dog better than I like most people, and I definitely trust my dog more than I trust people.
I know, I’m a Wiccan High Priest and the stereotypical portrayal of Wiccans is that they’re full of love and light, think only loving thoughts, and send out only good energy, while hopping and frolicking in the clover with all the other New Age fluffy bunnies. Well, to borrow a line from John Travolta in the movie, Michael, I’m not that kind of witch. Actually, I consider myself a warlock (don’t get your cottontails all twisted you lot of fluffy bunnies) but that is a topic for another article.
The following day, I had three more scam emails from the same Costa Rican ISP (Internet Service Provider). That’s when I decided to track this piece of whale dung down and see if I couldn’t at least get his internet account banned at his ISP.
In the indented paragraphs that follow, I’ve pasted excerpts from the email headers, Whois information from internic and several registrars, plus some traceroute information. How I did all of that is beyond the scope of this weblog article but I promise to explain the techniques I used in a subsequent posting.
My email to several abuse email addresses began thus:
I have been receiving 3 to 4 emails a day from this account or a similarly geographically located account, all for non-existent jobs or to act as an agent selling stolen goods or information, or money laundering schemes. The host server is located at 201.200.140.41.
These emails began after I answered a job ad on dice.com with a company (formalized.com) located in Costa Rica. I don’t think I’m receiving the spam directly from this company; perhaps the offshore personnel who process the resumes sold my email address. I only use that email address to reply to job postings so I know that any spam sent to that address has have ultimately begun with a reply to an employer. I have copied them on this email in case they wish to mount their own investigation.
I’ve broken down my analysis of the email headers below so that perhaps seeing the anatomy of these email headers will help track down spammers who are plaguing your inboxes.
——————————————————————————————-
Email Header info
——————————————————————————————-
Received: (qmail 12284 invoked from network); 25 Aug 2010 01:38:48 -0000
My Mail Server
—————-
Received: from unknown (HELO p3pismtp01-028.prod.phx3.secureserver.net) ([10.6.12.38])
(envelope-sender <bantoinee@hotmail.com>)
by p3plsmtp05-05.prod.phx3.secureserver.net (qmail-1.03) with SMTP
for <insert your email address here>; 25 Aug 2010 01:38:48 -0000
X-IronPort-Anti-Spam-Result: AkcCAFoRdExBNr7XlGdsb2JhbACDF49jKY0WFQEBAQEJCwgJEQMfrB88iFuJB4EigyJzBIQwgXiGPg
Hotmail servers
—————-
Received: from bay0-omc4-s13.bay0.hotmail.com ([65.54.190.215])
by p3pismtp01-028.prod.phx3.secureserver.net with ESMTP; 24 Aug 2010 18:38:47 -0700
Received: from BAY110-DS5 ([65.54.190.199]) by bay0-omc4-s13.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4675);
Tue, 24 Aug 2010 18:38:47 -0700
Originating IP
—————-
X-Originating-IP: [201.200.140.41] ß Trace this IP and you will find the country and city of origin of the spammer where he logged onto the internet.
Registrant information for IP address 201.200.140.41
—————————————————————
NetRange: 201.0.0.0 – 201.255.255.255
CIDR: 201.0.0.0/8
OriginAS:
NetName: LACNIC-201
NetHandle: NET-201-0-0-0-1
Parent:
NetType: Allocated to LACNIC
NameServer: TINNIE.ARIN.NET
NameServer: NS3.AFRINIC.NET
NameServer: SEC1.AUTHDNS.RIPE.NET
NameServer: NS2.DNS.BR
NameServer: SEC3.APNIC.NET
NameServer: NS2.LACNIC.NET
NameServer: NS.LACNIC.NET
NameServer: NS-LACNIC.NIC.MX
OrgName: Latin American and Caribbean IP address Regional Registry
OrgId: LACNIC
Address: Rambla Republica de Mexico 6125
City: Montevideo
StateProv:
PostalCode: 11400
Country: UY
RegDate: 2002-07-27
Updated: 2007-01-09
Ref: http://whois.arin.net/rest/org/LACNIC
ReferralServer: whois://whois.lacnic.net
OrgTechHandle: LACNIC-ARIN
OrgTechName: LACNIC Whois Info
OrgTechPhone: 999-999-9999
OrgTechEmail: whois-contact@lacnic.net
OrgTechRef: http://whois.arin.net/rest/poc/LACNIC-ARIN
Specific IP Allocation Information via lacinc.net
——————————————————–
�
inetnum: 201.200.136/21
status: reallocated
owner: ESCAZU
ownerid: CR-ESCA-LACNIC
responsible: Desarrollo de la Red – ICE
address: 100032, 1, 1
address: 1 – Oeste -
country: CR
phone: +506 22207465 []
owner-c: REJ
tech-c: REJ
abuse-c: REJ
created: 20080901
changed: 20080901
inetnum-up: 201.192/12
nic-hdl: REJ
person: Desarrollo de la Red – DT-DEP-ICE
e-mail: gspam@ICE.GO.CR
ß By all means spam theses bastards. They said they couldn’t do anything about spam even though this is the listed abuse email address for this registrar.
address: 10032-1000 San José, Costa Rica, 10032, San José
address: 10032-100 – San José – cr
country: CR
phone: +506 22423703 []
created: 20041004
changed: 20100526
X-Originating-Email: [bantoinee@hotmail.com]
Message-ID: <BAY110-DS566415E2FC19466B9A411BE840@phx.gbl>
Return-Path: bantoinee@hotmail.com
From: <bantoinee@hotmail.com>
To: <email address obfuscated>
Reply-To: hire.manager@eurodirectinvestmail.com <– see registrar info for this domain below
Subject: perfect vacancy 1282700968
Date: Wed, 25 Aug 2010 05:49:32 +0400
MIME-Version: 1.0
X-Priority: 3
X-MSMail-Priority: Normal
Importance: Normal
X-Mailer: Microsoft Windows Live Mail 14.0.8064.206
X-MimeOLE: Produced By Microsoft MimeOLE V14.0.8064.206
Content-Type: text/plain;
charset=”utf-8″
Content-Transfer-Encoding: binary
X-OriginalArrivalTime: 25 Aug 2010 01:38:47.0643 (UTC) FILETIME=[43118AB0:01CB43F6]
X-Nonspam: None
The registrar information for the return email address and the domain of that email address is listed below this line.
Domain name: eurodirectinvestmail.com
————————————————–
IP Address 195.226.218.28 (Italy)
Registrar bizcn.com
Registrant Contact:
CarleLonger
Carle Longer info@eurodirectinvestmail.com
+1.7077631573 fax: +1.7077631573
227 Alta Dr.
94954 CA Petaluma
us
Administrative Contact:
Carle Longer info@eurodirectinvestmail.com
+1.7077631573 fax: +1.7077631573
227 Alta Dr.
94954 CA Petaluma
us
Technical Contact:
Carle Longer info@eurodirectinvestmail.com
+1.7077631573 fax: +1.7077631573
227 Alta Dr.
94954 CA Petaluma
us
Billing Contact:
Carle Longer info@eurodirectinvestmail.com
+1.7077631573 fax: +1.7077631573
227 Alta Dr.
94954 CA Petaluma
us
DNS:
ns1.data-centr.lv
ns2.data-centr.lv
Created: 2010-08-24
Expires: 2011-08-24
It wouldn’t surprise me if this contact information is totally bogus since eurodirectemail.com is registered by a Chinese registrar (bizcn.com). This low-life-bottom-feeder knows that the Chinese won’t do anything about spam.
One final note, I warned spammers that I would publish their email addresses for spam bots to harvest. Come hither spam bots, I have a couple tasty tidbits (pun intended—tidbits, bits, bytes—get it) for you: jim.mchood@formalized.com and marnie.barranco@formalized.com.
I did copy the company in Costa Rica on this email. Strangely enough, the spam from Costa Rican scammers has suddenly stopped and the company their still won’t return my emails. So come hither spam bots and acquire the addresses of your new friends, and please send them your love and my warmest regards.