Is the noreply facebookmail com real?

8.3K    Asked by ankurDwivedi in Cyber Security , Asked on Apr 6, 2022

 I received an email, I was not aware I had credits or credits existed on Facebook and apparently I have $2.30 worth. It looks legitimate at first glance, the email address looks like all the other Facebook emails I get but I have a few reasons to believe this is fake and a phishing attempt.


All of the links on the page, which I haven't clicked on by the way, when hovering over and getting a preview of the link in the bottom left corner, aren't actual URLs, just directories I think. The Facebook header link points to setting?tab=payments. The review of your balance link is the same thing. The app centre link is just appcenter. Perhaps a failed phishing attempt or the email team messed up, not something Facebook would do.


The email style of the header, and background doesn't look anything like the legitimate emails I get from Facebook.


In the mail, the top blue bar is a solid blue bar, unlike the gradiented bar on the first email. The background is white not grey like the first one. And it's not full width like the first one. The styles are similar but the first one looks a little older than the one I got a couple days ago which has a flatter look

Is this email legitimate or is it some sort of failed phishing attempt?

Answered by Amy Avery

Regarding the noreply facebookmail com, I wouldn't put it past Facebook to "mess up". From the headers, it appears that Google's servers saw the request as coming from IP address 66.220.144.148, which is indeed part of the facebookmail.com domain. The Google server verified the DKIM signature on the email, relatively to the public key found in the DNS as a TXT record for s1024-2013-q3._domainkey.facebookmail.com: this is a 1024-bit RSA key and, right now, the signature still matches. 1024-bit RSA are still beyond the technologically feasible (current breaking record is 768 bits), unless one invests a significant number of millions of dollars into building a dedicated machine, but it would be improbable that such an investment would be done for hacking into Facebook accounts.

Therefore it seems plausible that the email really exited from the machines associated with the facebookmail.com domain. It is documented that this domain really belongs to Facebook, and they really use it to send notifications to users. For instance, this article states that: Confusingly, Facebook notifications come from the facebookmail.com domain and include a suspicious-looking sender's name. The long, complicated URL might also look suspicious, but this notification is a legit one from Facebook.

I totally agree with the "confusingly". Now, that the email comes from Facebook does not mean that it is legit; it just means that if the email is fake, then the attacker compromised some machine within the Facebook internal network and sent the email from that machine. As you notice, the email is weird; it does not "look like" a normal Facebook notification; moreover, the clickable links in the email are broken (since they are relative links, without a protocol or server part, they won't send you anywhere if you click on them -- if you read the email from a Webmail, they might send you on some page on that Webmail server, here Gmail.com...). My overall assessment is that the email is not an attack, but a technical blunder from the people at Facebook, who were testing some prototype notification for something related to Facebook Game Payments, and triggered the system for the wrong account (yours, in this case).

Anyway, for all emails, the usual rule must be maintained: DO. NOT. CLICK. If the email is legit, then you can log in the relevant site and see for yourself. You do not have to follow a clickable link from the email itself. The simple rule of never clicking on email links will keep you safe from phishing attempts.



Your Answer

Interviews

Parent Categories