Tag Archives: Privacy

Recruiters’ new (spam) tools


I’ve recently been getting a slew of e-mails from recruiters.  Horray!  Right?  Except…no.  Don’t get me wrong: we all have jobs and I’m happy to get e-mails from recruiters.  The issue is that these are e-mails to an address which I never published on my resume and have intentionally hidden from any public space.  So how have they come into possession of these e-mails?  Enter pseudo-spam companies….

The Nadir of the Internet

It took a long time to track down how my private e-mail address was being distributed, probably because I’m not as in-tune to recruiting.  However, I’ve had a number of exchanges that went something like the following:

Recruiter: Hi!  I’m looking for qualified individuals for …

Me: Hi!  Where’d you get this e-mail address from?

At this point, the recruiter went silent… So I tried a different tactic:

Recruiter: Hi!  I’m looking for qualified individuals for …

Me: Hi!  I’d be happy to take a call as long as you tell me where you got this e-mail from.

Recruiter: Sure, it’s from a tool we’re using to contact qualified individuals from.  When can we schedule a chat?!

At this point, it becomes clear that they know what they’re doing is shady at best… Why wouldn’t they tell me which?  My guess is that the tools are encouraging the end users to not tell which tool.  So I refuse to take a call until they tell me which specific tool and we see follow-ups like:

Me: I’m interested in which specific tool.  I’ll take a call, but only on the condition that you tell me specifically which utility you’re using.

Recruiter: OK, it’s this maybe illegal thing called _____

Aha!  And now we’ve found them.   It turns out that _____ company is basically set up to gather e-mail addresses through various sources (my guess is most are illegal) and then resell them to people that want to contact you in an unsolicited manner.  Some of them harvest through public and non-public sources while some guess your e-mail address through heuristics (e.g. “<first initial>.<last name>@yourcompany.com”).  By my understanding, e-mail harvesting is illegal in most countries, including the US, but they’re reselling to 3rd parties (recruiters) that are ultimately e-mailing you, so it’s extremely difficult to track down.  There’s never an unsubscribe link and never an easy filter to put on to prevent this garbage.


Turns out there are a variety of companies that are all in competition for the best possible spam-enablers.  These companies include:

  • Contactout
  • Lusha
  • Hiretual
  • Entelo
  • ZoomInfo
  • Connectifier
  • EmailHunter
  • FindThatLead

and many others

What can we all do about it?

In order to help everybody out, I collected the most common of these companies at https://docs.google.com/spreadsheets/d/1EiiMwVO49oi4NIYEeMDoA9684RkD5oOCBuRVYS9d-p0/edit?usp=sharing .  I also made a single, simple link on that page to remove yourself from all of these in one go.  Please do share this with your friends to help them from getting unsolicited e-mail from recruiters.  If there are other companies like these that you know about, please submit them at https://docs.google.com/forms/d/1XYYcas9DZexd9HEsgrgfuzLxH8UAdJHDW-Ec_QwVrqU/edit and I’ll review & add them in.  This page also includes a link to report them to their hosting providers as they are (probably) violating their terms of service by being complicit in helping companies send unsolicited e-mail.

Leave a Comment

Filed under Projects, Ranting and Raving

Ad-blocking and extra privacy for your devices

The back-story:

As one of my friends has stated…

The Internet is a scary place without Adblock

It’s true.  And while I think he was largely referring to the ubiquity and annoying nature of many ads, the pervasiveness of shady no-opt-out cross-website tracking and malware are what worry me the most.  Now, as we go more and more into a mobile-device driven society, malware developers and tracking companies are spending more time and money investing in these platforms.  It makes sense — Adblock works on all major browsers on a PC or Mac, but there are very few controls for mobile platforms.

I was recently debugging traffic sent to/from my phone and I was a bit surprised (and upset) to see that many applications were sending my phone’s IMEI (an unchangeable hardware address) along with data about me to a 3rd party advertising service which was registering and linking the device to a profile which was impossible to erase.  So no matter what — uninstall/reinstall the application, completely wiping the data from the application, even completely factory resetting the phone — the IMEI stayed the same and thus my advertising profile and personal information were being persisted.  What’s worse is that, because this is a 3rd party being used by multiple applications, data about me was being shared across multiple applications without my consent.

Some existing solutions:

So what solutions are there?  Unfortunately, not a lot.  If you have a rooted device, you have some more options, but for this post I’ll stick to non-rooted devices.

  1. Adblock for Android.  Google is primarily an advertising company, so it was no surprise to me when they took down Adblock Plus from the Android app store.  You can still install it, though there are some caveats about how it works (i.e. it only works on WiFi unless you’re using a rooted device, you have to have “unknown sources” which adds some dangers to most devices, and updates to it need to be done manually because it’s not in the store).
  2. iOS.  There’s an AdBlock Browser for iOS, but it only blocks in the browser — no apps.  For $2, you can pick up Weblock, which seeks to do essentially the same thing as Adblock for Android does.  It thus comes with the same “WiFi-only” caveat.
  3. Set up or pay a monthly fee for a proxy to filter bad data.  If you route all your Internet traffic through a proxy, you can have rules  to block malware, tracking, etc.  Unfortunately, setting up your own proxy is beyond the technical skills of most, but if you’re fairly technical, there’s privoxy.  This is essentially how Adblock for Android and Weblock work under the covers, so it has the same WiFi-only restriction again.
  4. Set up or pay a monthly fee for a VPN to filter bad data.  Like setting up a proxy, setting up a VPN is complicated (vastly moreso, actually), but it does allow you to get around the WiFi-only restriction, as you can connect to a VPN from a cell network.
  5. Block via DNS.  In theory, if you use OpenDNS for your DNS provider, it will block ads and malware.  However, when I tested this, I found their list to be vastly insufficient and I didn’t see any difference between OpenDNS and other DNS providers.  Generally, you can only set your DNS provider on WiFi, so again, this carries a WiFi-only restriction.

A new, completely free, cross-platform, WiFi+cell solution:

I’ve set up my own caching DNS provider at and which routes many malware and advertising servers into a black hole.  It uses OpenDNS as it’s DNS server for IPs that don’t match malware/advertising servers.  If you’re on WiFi, you can just use these (follow these instructions for Android or these instructions for iOS, but use and instead of and  There are apps which will automatically switch these for you for Android (and maybe iOS?).


If you want this on your cell network as well, this can be done via VPN, which I’ve also set up.  We won’t route any traffic through it, but simply use it to fool the OS into using our DNS even when we’re on a cell network.

On Android/iOS:

  1. Set up a new L2TP/IPSec PSK VPN connection, as per these instructions for Android or these instructions for iOS:
    1. The server address is “noads.eskibars.com”
    2. The IPSec pre-shared key is “vpn”
    3. On iOS, turn off the “Send All Traffic” button.  This will prevent the VPN connection from actually forwarding traffic in, thus only using the DNS settings.  This is important that you do this setting because the VPN I’ve set up doesn’t actually send traffic to the Internet — it only provides DNS information.
    4. On Android, in the “forwarding routes” configuration section, set it to “”.  This will prevent the VPN connection from actually forwarding traffic in, thus only using the DNS settings.  This is important that you do this setting because the VPN I’ve set up doesn’t actually send traffic to the Internet — it only provides DNS information.
  2. Once you’ve saved the connection, you can connect in with username “vpn” and password “vpn”

Voila!  Enjoy and let me know how it works!

Leave a Comment

Filed under Projects