2

I was sent an innocuous and genuine looking e-mail with "Welcome back to Facebook" from the address "notification+mnqx54sr@facebookmail.com". I deactivated my account long ago, so was a tad surprised. I was fooled since both the links in the e-mail were directed to the real facebook site, and the actual e-mail addy did not show, just the name, which was "facebook".

But this lead me wondering, as both the links in the e-mail were to the real facebook page, what could the sender possibly gain from such an e-mail?

Edits:

The e-mail addy was notification+mnqx54sr@facebookmail.com

Here is the e-mail (I changed my e-mail addy to myid and the server name to myserver):

Return-Path: <notification+mnqx54sr@facebookmail.com>
Received: from kasse06.itea.myserver (kasse06.itea.myserver [129.241.56.234])
     by mot.itea.myserver (Cyrus v2.3.16-Fedora-RPM-2.3.16-6.el6_2.5) with LMTPA;
     Sat, 03 May 2014 05:39:27 +0200
X-Sieve: CMU Sieve 2.3
Received: from localhost (localhost [127.0.0.1])
    by kasse06.itea.myserver (Postfix) with ESMTP id 806762000F2
    for <myidbak@stud.myserver>; Sat,  3 May 2014 05:39:27 +0200 (CEST)
X-Virus-Scanned: Debian amavisd-new at kasse06.itea.myserver
X-Spam-Flag: NO
X-Spam-Score: -1.1
X-Spam-Level: 
X-Spam-Status: No, score=-1.1 tagged_above=-999 required=5
    tests=[BAYES_00=-3.6, DKIM_SIGNED=-0.001, DKIM_VALID=-0.1,
    DKIM_VALID_AU=-0.1, DKIM_VERIFIED=-0.1, HTML_MESSAGE=0.001,
    NTNU_PH_MAIL_SA=1.5, NTNU_PH_PHRS_91=2.9, NTNU_PH_URL_98=0.1,
    RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_NTNU_NICE_DKIM_SPF=-1,
    UNPARSEABLE_RELAY=0.001] autolearn=no
Authentication-Results: kasse06.itea.myserver (amavisd-new); dkim=pass
    header.i=@facebookmail.com
Received: from mx-out.facebook.com (outmail017.ash2.facebook.com [66.220.155.151])
    by kasse06.itea.myserver (Postfix) with ESMTP id 9750A2003C2
    for <myidbak@stud.myserver>; Sat,  3 May 2014 05:39:24 +0200 (CEST)
Received: from facebook.com (2lkICU/ZQQWprcP9zKuyAff/Lpyxvuvbl+Y44S1SuODxClBxdtqLF4w+pN51v+j+ 10.224.41.89)
 by facebook.com with Thrift id 841465dad27411e3bddc0002c9e0e150-14dc74a0;
 Fri, 02 May 2014 20:39:22 -0700
X-Facebook: from 2401:db00:3010:6056:face:0:4f:0 ([MTI3LjAuMC4x]) 
    by www.facebook.com with HTTP (ZuckMail);
Date: Fri, 2 May 2014 20:39:22 -0700
To: myid Bakken Stovner <myidbak@stud.myserver>
From: "Facebook" <notification+mnqx54sr@facebookmail.com>
Reply-to: noreply <noreply@facebookmail.com>
Subject: Welcome back to Facebook
Message-ID: <6489aeacae881e13b9c2861e43ed7de5@www.facebook.com>
X-Priority: 3
X-Mailer: ZuckMail [version 1.00]
Errors-To: notification+mnqx54sr@facebookmail.com
X-Facebook-Notify: account_reactivation; mailid=9ce6218G2dd50372G0G158G3452e4b1
X-FACEBOOK-PRIORITY: 0
X-Auto-Response-Suppress: All
MIME-Version: 1.0
Content-Type: multipart/alternative;
    boundary="b1_6489aeacae881e13b9c2861e43ed7de5"
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=facebookmail.com;
    s=s1024-2013-q3; t=1399088362;
    bh=9qoIL602ssAgEP/GBOT1a+TiZQpVHk1yxgybG72Q35c=;
    h=Date:To:From:Subject:MIME-Version:Content-Type;
    b=tVwl5S3WQ746wxhzHqG4iE9Kr5tLrybLPKLPlP+uTo0zon/XiJbu2n0RDsI7rv+1H
     /+W0Dhv/NbuNuXDbrvxPHHA5CPuboFQ8iT44S/tv139l+ZUt+GJDoN2g3V/GMGjha0
     yLwtXftW2J7p7EOAEWMCHq0VcTq44B0+/yB2oK9w=


--b1_6489aeacae881e13b9c2861e43ed7de5
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

Hi myid,

Hey myid,

The Facebook account associated with myidbak@stud.myserver was recently =
reactivated.

If you were not the one who reactivated this account, please visit our =
Help Center.

Thanks,
The Facebook Team

=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
This message was sent to myidbak@stud.myserver at your request.
Facebook, Inc., Attention: Department 415, PO Box 10005, Palo Alto, CA =
94303


--b1_6489aeacae881e13b9c2861e43ed7de5
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional =
//EN"><html><head><title>Facebook</title><meta http-equiv=3D"Content-Type" =
content=3D"text/html; charset=3Dutf-8" /></head><body =
style=3D"margin:0;padding:0;" dir=3D"ltr"><table cellspacing=3D"0" =
cellpadding=3D"0" id=3D"email_table" =
style=3D"border-collapse:collapse;width:98%;" border=3D"0"><tr><td =
id=3D"email_content" style=3D"font-family:&#039;lucida =
grande&#039;,tahoma,verdana,arial,sans-serif;font-size:12px;"><span =
style=3D"width:620px;color:#FFFFFF;display:none =
!important;font-size:1px;">Hey myid, The Facebook account associated with =
myidbak&#064;stud.myserver was recently reactivated. If you were not the =
one who reactivated this account, please visit our Help Center =
.</span><table cellspacing=3D"0" cellpadding=3D"0" =
style=3D"border-collapse:collapse;width:620px;"><tr><td =
style=3D"font-size:16px;font-family:&#039;lucida grande&#039;,tahoma,verda=
na,arial,sans-serif;background:#3b5998;color:#FFFFFF;font-weight:bold;vert=
ical-align:baseline;letter-spacing:-0.03em;text-align:left;padding:5px =
20px;"><a style=3D"text-decoration: none;" href=3D"https://www.facebook.co=
m/n/?help%2Fsecurity&amp;medium=3Demail&amp;mid=3D9ce6218G2dd50372G0G158G3=
452e4b1&amp;bcode=3D1.1399088362.AbnGaQM9xIhr_Mbi&amp;n_m=3Dmyidbak%40stu=
d.myserver"><span style=3D"background:#3b5998;color:#FFFFFF;font-weight:bol=
d;font-family:&#039;lucida =
grande&#039;,tahoma,verdana,arial,sans-serif;vertical-align:middle; =
font-size:16px;letter-spacing:-0.03em;text-align:left;vertical-align:basel=
ine;">facebook</span></a></td></tr></table><table cellspacing=3D"0" =
cellpadding=3D"0" width=3D"620px" =
style=3D"border-collapse:collapse;width:620px;" border=3D"0"><tr><td =
style=3D"font-size:11px;font-family:LucidaGrande,tahoma,verdana,arial,sans=
-serif;padding:0px;background-color:#f2f2f2;border-left:none;border-right:=
none;border-top:none;border-bottom:none;"><table cellspacing=3D"0" =
cellpadding=3D"0" width=3D"620px" =
style=3D"border-collapse:collapse;"><tr><td style=3D"font-size:11px;font-f=
amily:LucidaGrande,tahoma,verdana,arial,sans-serif;padding:0px;width:620px=
;"><table cellspacing=3D"0" cellpadding=3D"0" border=3D"0" =
style=3D"border-collapse:collapse;width:100%;"><tr><td =
style=3D"font-size:11px;font-family:LucidaGrande,tahoma,verdana,arial,sans=
-serif;padding:20px;background-color:#fff;border-left:none;border-right:no=
ne;border-top:none;border-bottom:none;"><table cellspacing=3D"0" =
cellpadding=3D"0" style=3D"border-collapse:collapse;width:100%;"><tr><td =
style=3D"font-size:11px;font-family:LucidaGrande,tahoma,verdana,arial,sans=
-serif;"><table cellspacing=3D"0" cellpadding=3D"0" =
style=3D"border-collapse:collapse;width:100%;"><tr><td =
style=3D"font-size:11px;font-family:LucidaGrande,tahoma,verdana,arial,sans=
-serif;padding-bottom:5px;"><span style=3D"color:#333333;">Hey =
myid,</span></td></tr><tr><td style=3D"font-size:11px;font-family:LucidaG=
rande,tahoma,verdana,arial,sans-serif;padding-top:5px;padding-bottom:5px;"=
><span style=3D"color:#333333;">The Facebook account associated with =
myidbak&#064;stud.myserver was recently =
reactivated.</span></td></tr><tr><td style=3D"font-size:11px;font-family:L=
ucidaGrande,tahoma,verdana,arial,sans-serif;padding-top:5px;"><span =
style=3D"color:#333333;">If you were not the one who reactivated this =
account, please visit our <a href=3D"https://www.facebook.com/n/?help%2Fse=
curity&amp;medium=3Demail&amp;mid=3D9ce6218G2dd50372G0G158G3452e4b1&amp;bc=
ode=3D1.1399088362.AbnGaQM9xIhr_Mbi&amp;n_m=3Dmyidbak%40stud.myserver" =
style=3D"color:#3b5998;text-decoration:none;">Help Center</a>.</span></td>=
</tr></table></td></tr></table></td></tr></table></td></tr><tr><td =
style=3D"font-size:11px;font-family:LucidaGrande,tahoma,verdana,arial,sans=
-serif;padding:0px;width:620px;"><table cellspacing=3D"0" =
cellpadding=3D"0" width=3D"100%" border=3D"0" =
style=3D"border-collapse:collapse;"><tr><td style=3D"font-size:11px;font-f=
amily:LucidaGrande,tahoma,verdana,arial,sans-serif;padding:0;background-co=
lor:#fff;border-left:none;border-right:none;border-top:1px solid =
#ccc;border-bottom:none;"></td></tr></table></td></tr></table></td></tr></=
table><table cellspacing=3D"0" cellpadding=3D"0" border=3D"0" =
style=3D"border-collapse:collapse;width:620px;"><tr><td =
style=3D"font-size:11px;font-family:&#039;lucida grande&#039;, tahoma, =
verdana, arial, sans-serif;padding:30px 20px;background-color:#fff;border-=
left:none;border-right:none;border-top:none;border-bottom:none;color:#9999=
99;border:none;">This message was sent to <a =
href=3D"mailto:myidbak&#064;stud.myserver" style=3D"color:#3b5998;text-dec=
oration:none;">myidbak&#064;stud.myserver</a> at your request.<br =
/>Facebook, Inc., Attention: Department 415, PO Box 10005, Palo Alto, CA =
94303</td></tr></table><span style=3D"width:620px;"><img =
src=3D"https://www.facebook.com/email_open_log_pic.php?mid=3D9ce6218G2dd50=
372G0G158G3452e4b1" style=3D"border:0;width:1px;height:1px;" =
/></span></td></tr></table></body></html>



--b1_6489aeacae881e13b9c2861e43ed7de5--
The Unfun Cat
  • 123
  • 1
  • 6
  • 1
    Are you absolutely certain the links are really to Facebook? There ways of disguising links that look genuine to someone who doesn't know all the tricks. – Mark May 03 '14 at 09:51
  • 3
    Do you think you could post the email source on pastebin and post the link? This would make it much easier to determine the attackers intention. There's instructions on viewing the source for many email services here: https://support.google.com/mail/answer/22454?hl=en – thexacre May 03 '14 at 12:00
  • @mit: added the raw text of the e-mail. Thanks for looking at it. – The Unfun Cat May 03 '14 at 17:17

2 Answers2

3

I think this is a legitimate email from facebook, but someone has tried (and possibly succeed) to compromise your facebook account and re-activate it.

My evidence for this is the DKIM signature, and assuming kasse06.itea.myserver is your server (not a potential attacker) then it seems to have passed.

Authentication-Results: kasse06.itea.myserver (amavisd-new); dkim=pass

The DKIM signature means that the message must have been digitally signed using a key only facebook knows, and you can verify it by checking the DNS records for s1024-2013-q3._domainkey.facebookmail.com and using the (different, aka. public) key to decrypt the signature and make sure they match (this process is obviously normally done automatically by mail servers).

It also seems that the IP 66.220.155.151 mentioned falls within the 66.220.155.128/25 range specified in the SPF records for facebookmail.com.

There's obviously a chance I'm wrong, so I'd avoid clicking any links in the email and contacting facebooks help desk (the details for which you should obviously obtain elsewhere from that email).

These links might be useful:

https://www.facebook.com/help/www/131719720300233

https://www.facebook.com/hacked

thexacre
  • 8,444
  • 3
  • 24
  • 35
  • Even though I do not have the knowledge to know which answer is the correct one, it seems you did more detective work so accepting your answer until someone makes the case that the other is the correct one. – The Unfun Cat May 04 '14 at 07:45
  • 1
    This is what I was fearing. Note to self, and pace the great John Hodgman, "password1234" is not a good password. I see it is possible to add a credit card to your account now, I'm guessing that was the motivation for hacking, not anything personal. – The Unfun Cat May 04 '14 at 07:52
2

If it is spam, coming from another address than Facebook, it might be spamfilter poisoning.

See What is the point of gibberish spam

Looking at the mail source, notification+mnqx54sr@facebookmail.com is not the sender, it's the return address. If you click reply, the mail goes to that address. That has nothing to do with where the mail came from, and it has no value in this matter.

I see mot.itea.myserver here and there, and I wonder if you have changed that or is that the original value? That is something that matters in this case, and it tells me that this is not coming from Facebook.

Community
  • 1
SPRBRN
  • 7,379
  • 6
  • 33
  • 37
  • myserver is just what I changed the server name (address) to in an attempt to stay anonymous. – The Unfun Cat May 04 '14 at 07:41
  • Then your attempt is not really successful. I think I know at what university you work or study (aside from the fact that you give this away in your profile). There are still ip addresses in the mail, plus subdomains. – SPRBRN May 04 '14 at 09:40