Massive System Compromise, or MORONS?

The largest job posting site in the world,, is sending bulk email to a huge number of spamtraps. So far they’ve hit at least two dozen of mine, and in addition mailed the only email address that I ever used to sign up there. That email address was closed eight years ago, and a few years later re-enabled and turned into a spamtrap. There is no ESP involvement; Monster did this from its own IPs.

In addition to being wrong, this was such a mind-bogglingly INSANELY STUPID thing to do that I am seriously considering the possibility that Monster is the victim of a revenge attack, possibly by a disgruntled employee or former employee with access to its system. It is otherwise difficult to imagine how a company that makes its living on the Internet and sends so much legitimate, wanted email could possibly have come up with and carried out this plan. No sane email expert (even at an opt-out ESP) would have thought that this was wise.

Sending IPs:,,,,, and (And probably many more)

Spam Sample:

Actual Headers:

Received: from ( [])
        by <xxx> (Postfix) with SMTP id <xxx>
        for <xxx>; Wed, 26 Oct 2011 16:xx:xx -0500 (CDT)
Received: (qmail 27101 invoked from network); 26 Oct 2011 16:xx:xx -0500
Received: from unica<xxx>.<xxx> (10.5.<xxx>.<xxx>)
  by with SMTP; 26 Oct 2011 16:xx:xx -0500
Date: Wed, 26 Oct 2011 16:xx:xx -0500
From: "Monster" <>
Reply-To: "Monster" <>
Subject: Have you met the new Monster?
To: <xxx>
Message-ID: <<xxx>@<xxx>>
Mime-Version: 1.0
X-TrcId: <xxx>
Content-Type: multipart/alternative; boundary="<xxx>"

Readable Email:

From: Monster <>
To: <spamtrap>
Subject: Have you met the new Monster?
Reply-To: Monster <>

Important Notice: This email is sent as a multi-part message in MIME format. If you are reading this part of the email, you may want to consider upgrading your mail reader so that you can read multi-part MIME messages. Otherwise please log in to your account and update your email preferences, so that from the next time onwards we will send you emails in the format your mail reader can understand. Sorry for any inconvenience.

Have you met the new Monster?


To ensure delivery of this email please add to your Address Book or Safe List.

Can’t view this email? Click here.<xxx><xxx>


We’re more than the Monster you remember.

No other recruitment source comes close to doing what we do to connect the right employer with the right candidate. That’s why more employers around the globe use us to find the perfect candidates.

ONLY Monster has:
6Sense search technology<xxx>
Career Ad Network<xxx>

Call 1-866-395-5616 to learn more.


This email was sent to: <xxx>

This special offer expires 11/30/11 and is valid on the purchase of Job Postings on Offer does not apply to purchase of Target Slot or TargetPost(TM). Discount calculated from a la carte pricing. Not valid in conjunction with volume pricing discounts. One offer per customer/account. Offer valid in the U.S. only. This offer subject to customer’s agreement to additional terms and conditions. Lower pricing on select products may be available online.

Please do not reply to this email. Questions? Email us directly by clicking here<xxx>
or open a new web browser, type in:<xxx>

If you no longer wish to receive Monster marketing emails, please click here<xxx>

Requests for unsubscribing may take up to 10 days to take effect. You will still receive service updates.

If you have any doubt about the authenticity of an email from Monster, simply open a new web browser, type in:<xxx>
log into your Monster account safely and securely and then perform the requested activity.

To read the Monster Privacy Statement, visit<xxx>
You can also read about how to avoid email fraud<xxx>
and protect your Monster password<xxx>

This is an advertising message from Monster, 5 Clock Tower Place, Suite 500, Maynard, MA 01754.

Copyright 2011 – MONSTER is a registered trademark.
All rights reserved.

One Response to Massive System Compromise, or MORONS?

  1. A few hours after I blogged, Spamhaus listed in the SBL for this spam run. Normally mainsleaze spam isn’t appropriate for blocklisting, but normally mainsleaze spam doesn’t hit more spamtraps than your average botnet. :/ So this was a special case.

    A friend at Spamhaus indicates to me that this whole episode was due to a list purchase from an unidentified list seller. promised not to buy more lists, and the SBLs that were opened for this spam run were closed.

    I REALLY hope rats out the list seller. But maybe they’re just too embarrassed. They should be embarrassed. Sheesh.

Leave a Reply

Go back to top