Anatomy of a scam? Or just a password notification?
September 20, 2014
Kirk Becker
While eating my breakfast this morning and checking up on email, I run across 2 of the following emails:
3am email about a password reset from Facebook to an email address that is not used by the family as logins? The Spidey Senses are tingling. Time to look at the raw email data and see what is going on....
Delivered-To: beckerfamily@floridabeckers.us
Received: by 10.229.14.201 with SMTP id h9csp502473qca;
Sat, 20 Sep 2014 00:04:35 -0700 (PDT)
X-Received: by 10.180.211.208 with SMTP id ne16mr1532381wic.71.1411196675222;
Sat, 20 Sep 2014 00:04:35 -0700 (PDT)
Return-Path: <password+h_i3dki_@facebookmail.com>
Received: from mx-out.facebook.com (outmail016.ash2.facebook.com. [66.220.155.150])
by mx.google.com with ESMTPS id v14si4512206wie.3.2014.09.20.00.04.34
for <beckerfamily@floridabeckers.us>
(version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128);
Sat, 20 Sep 2014 00:04:35 -0700 (PDT)
Received-SPF: pass (google.com: domain of password+h_i3dki_@facebookmail.com designates 66.220.155.150 as permitted sender) client-ip=66.220.155.150;
Authentication-Results: mx.google.com;
spf=pass (google.com: domain of password+h_i3dki_@facebookmail.com designates 66.220.155.150 as permitted sender) smtp.mail=password+h_i3dki_@facebookmail.com;
dkim=pass header.i=@facebookmail.com;
dmarc=pass (p=REJECT dis=NONE) header.from=facebookmail.com
Received: from facebook.com (CB2uJzaEr7FAP9Z3NNj8E9uO4ydVsDyZ8ttuyabo2wEjYbPxtGSfri+xd3E5hhYV 10.158.104.67)
by facebook.com with Thrift id 6079b0ec409411e494110002c9550d78-2a1eb3f0;
Sat, 20 Sep 2014 00:04:34 -0700
X-Facebook: from 2401:db00:3010:3018:face:0:4f:0 ([MTI3LjAuMC4x])
by m.facebook.com with HTTP (ZuckMail);
Date: Sat, 20 Sep 2014 00:04:34 -0700
Return-Path: password+h_i3dki_@facebookmail.com
To: Nicole Beasley-Becker <beckerfamily@floridabeckers.us>
From: "Facebook" <password+h_i3dki_@facebookmail.com>
Reply-to: noreply <noreply@facebookmail.com>
Subject: Somebody requested a new password for your Facebook account
Message-ID: <7833a8c7c38f65544e5ddf3b132fa1f0@m.facebook.com>
X-Priority: 3
X-Mailer: ZuckMail [version 1.00]
Errors-To: password+h_i3dki_@facebookmail.com
X-Facebook-Notify: password_reset; mailid=a872430G30a5e9d3G0G178G29129f32
X-FACEBOOK-PRIORITY: 1
X-Auto-Response-Suppress: All
Require-Recipient-Valid-Since: beckerfamily@floridabeckers.us; Wednesday, 4 Aug 2010 15:07:54 +0000
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="b1_7833a8c7c38f65544e5ddf3b132fa1f0"
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=facebookmail.com;
s=s1024-2013-q3; t=1411196674;
bh=KsNcsnOLkT3p6hrtXpRx5uiG7l2rqzTocgLbQUUAQFg=;
h=Date:To:From:Subject:MIME-Version:Content-Type;
b=iP4aprX0sCUXj9yWvddNp0ssj/zYj0X67/XpWm4pgxg73tbc5qbrsa03koq2Qo0+s
5kJzurtEhZ1l012QgYM0f3xOMmztwwBzQfxQ03ZXSRRhlBM0xZcseQ9iHdeXxiHugh
VEOgxGnS25a6LTFHVrV+joWxnURGx11qEgdhFcjo=
--b1_7833a8c7c38f65544e5ddf3b132fa1f0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Hi Nicole,
Somebody recently asked to reset your Facebook password.
Click here to change your password.[https://www.facebook.com/recover/code?=
u=3D816179667&n=3D654156]=20
Alternatively, you can enter the following password reset code:
654156
Didn't request this change?
If you didn't request a new password, let us know immediately.
Change Password
https://www.facebook.com/recover/code?u=3D816179667&n=3D654156
Thanks,
The Facebook Team
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
This message was sent to nicole@floridabeckers.us at your request.
Facebook, Inc., Attention: Department 415, PO Box 10005, Palo Alto, CA =
94303
--b1_7833a8c7c38f65544e5ddf3b132fa1f0
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional =
//EN"><html><head><title>Facebook</title><meta http-equiv=3D"Content-Type" =
content=3D"text/html; charset=3Dutf-8" =
/><style>body{background:#e0e1e5;font-family:'Helvetica =
Neue',Helvetica,'Lucida Grande',tahoma,verdana,arial,sans-serif;font-weigh=
t:300}a{color:#141823;text-decoration:none;white-space:nowrap =
!important}#email_table{width:100% !important}#email_content{padding:0 =
!important}#profile_pic =
img{border:0}*[class].usercard{background:#fff}@media all and =
(max-device-width: 720px){a{white-space:pre-wrap =
!important}table[bgcolor=3D"#e9eaed"]{background:transparent =
!important}*[id]#body_container{border-bottom:1px solid #e5e5e5 =
!important}table[width=3D"610"],*[id]#body_container,*[id]#cta_container{t=
able-layout:fixed}*[id]#cta_outer{border:none !important}*[id]#header_prof=
ile>table>tbody>tr>td:not(:nth-child(4)){display:none =
!important}*[id]#profile_name{display:none}*[id]#profile_pic{-moz-border-r=
adius:3px !important;-webkit-border-radius:3px =
!important;border-radius:3px !important;border-width:0 =
!important;overflow:hidden}*[id]#header_title{width:auto =
!important}*[id]#header_profile{width:24px}*[class].bio{display:none =
!important}*[id]#main_content{width:100%}*[class].content>div =
a{display:block;overflow:hidden;text-overflow:ellipsis;white-space:nowrap =
!important;width:160px}*[class].ext{padding-right:20px}*[class].image =
a{display:block;margin-left:20px}*[class].cta_btn,*[class].scnd_btn{displa=
y:block}*[id]#email_cta>tbody>tr>td[width=3D"100%"]{display:none}}@media =
all and (device-width: 720px){table[width=3D"610"],*[id]#body_container,*[=
id]#footer_container{width:340px}*[id]#email_filler td{height:12px =
!important}*[class].usercard{width:300px !important}}@media all and =
(max-device-width: =
480px){*[id]#cta_container>table>tbody>tr>td[height=3D"15"]{display:none =
!important}}@media all and (device-width: 320px){table[width=3D"610"],*[id=
]#body_container,*[id]#cta_container{min-width:400px;width:auto}center{pad=
ding:0 10px}*[class].content>div a{width:182px}}</style></head><body =
style=3D"margin:0;padding:0;" dir=3D"ltr"><table cellspacing=3D"0" =
cellpadding=3D"0" id=3D"email_table" =
style=3D"border-collapse:collapse;width:98%;" border=3D"0"><tr><td =
id=3D"email_content" style=3D"font-family:'lucida =
grande',tahoma,verdana,arial,sans-serif;font-size:12px;padding:0px;ba=
ckground:#e0e1e5;"><table cellspacing=3D"0" cellpadding=3D"0" =
width=3D"100%" border=3D"0" =
style=3D"border-collapse:collapse;width:100%;"><tr><td =
style=3D"font-size:11px;font-family:LucidaGrande,tahoma,verdana,arial,sans=
-serif;padding:0;border-left:none;border-right:none;border-top:none;border=
-bottom:none;"><table cellspacing=3D"0" cellpadding=3D"0" width=3D"100%" =
style=3D"border-collapse:collapse;"><tr><td =
style=3D"padding:0;width:100%;"><span style=3D"color:#FFFFFF;display:none =
!important;font-size:1px;">Somebody recently asked to reset your Facebook =
password. Click here to change your password. Alternatively, you can enter =
the following password reset code: 654156 Didn't request this change? =
If you didn't request a new password, let us know immediately . =
=C2=A0 =C2=A0 Change=C2=A0Password =C2=A0 =C2=A0</span></td></tr><tr><td =
style=3D"padding:0;width:100%;"><table cellspacing=3D"0" cellpadding=3D"0" =
width=3D"100%" bgcolor=3D"#435E9C" style=3D"border-collapse:collapse;width=
:100%;background:#435E9C;background-image:-webkit-linear-gradient(top, =
#5c77b5, #435e9c);border-color:#0A1F4F;border-style:solid;border-width:0px =
0px 1px 0px;box-shadow:0 1px 1px rgba(0, 0, 0, 0.25);height:47px;" =
id=3D"header"><tr><td style=3D""><center><table cellspacing=3D"0" =
cellpadding=3D"0" width=3D"610" height=3D"44" =
style=3D"border-collapse:collapse;"><tr><td align=3D"left" =
id=3D"header_title" style=3D"width:100%;line-height:47px;"><table =
cellspacing=3D"0" cellpadding=3D"0" =
style=3D"border-collapse:collapse;"><td style=3D""><a =
href=3D"https://www.facebook.com/recover/code?u=3D816179667&n=3D654156=
" style=3D"color:#FFFFFF;text-decoration:none;font-weight:bold;font-family=
:lucida grande,tahoma,verdana,arial,sans-serif;vertical-align:baseline;fon=
t-size:20px;letter-spacing:-0.03em;text-align:left;text-shadow:0 1px 0 =
rgba(0, 0, 0, 0.24);"> facebook </a></td><td width=3D"10" =
style=3D"width:10px;"></td><td style=3D""><font color=3D"white" =
size=3D"3"><a =
style=3D"color:#ffffff;text-decoration:none;font-family:Helvetica =
Neue,Helvetica,Lucida Grande,tahoma,verdana,arial,sans-serif;font-size:16p=
x;font-weight:bold;text-shadow:0 -1px rgba(34, 59, 115, =
0.85);vertical-align:middle;" href=3D"https://www.facebook.com/recover/cod=
e?u=3D816179667&n=3D654156"></a></font></td></table></td></tr></table>=
</center></td></tr></table></td></tr><tr><td =
style=3D"padding:0;width:100%;"><table cellspacing=3D"0" cellpadding=3D"0" =
width=3D"100%" bgcolor=3D"#e0e1e5" id=3D"table_color" =
style=3D"border-collapse:collapse;"><td style=3D""><table =
cellspacing=3D"0" cellpadding=3D"0" width=3D"100%" id=3D"email_filler" =
style=3D"border-collapse:collapse;"><td height=3D"19" =
style=3D""> </td></table><center><table cellspacing=3D"0" =
cellpadding=3D"0" width=3D"610" =
style=3D"border-collapse:collapse;"><tr><td align=3D"left" =
id=3D"body_container" style=3D"background-color:#ffffff;border-color:#c1c2=
c4;border-style:solid;display:block;border-width:1px;border-radius:5px;-we=
bkit-border-radius:5px;-moz-border-radius:5px;box-shadow:0 1px 1px rgba(0, =
0, 0, 0.10);overflow:hidden;"><table cellspacing=3D"0" cellpadding=3D"0" =
width=3D"100%" style=3D"border-collapse:collapse;"><td =
style=3D"padding:15px;"><table cellspacing=3D"0" cellpadding=3D"0" =
style=3D"border-collapse:collapse;width:100%;"><tr><td =
style=3D"font-size:11px;font-family:LucidaGrande,tahoma,verdana,arial,sans=
-serif;padding-bottom:6px;"><div>Somebody recently asked to reset your =
Facebook password.</div><a href=3D"https://www.facebook.com/recover/code?u=
=3D816179667&n=3D654156" =
style=3D"color:#3b5998;text-decoration:none;">Click here to change your =
password.</a></td></tr><tr><td style=3D"font-size:11px;font-family:LucidaG=
rande,tahoma,verdana,arial,sans-serif;padding-top:6px;padding-bottom:6px;"=
>Alternatively, you can enter the following password reset =
code:</td></tr><tr><td style=3D"font-size:11px;font-family:LucidaGrande,ta=
homa,verdana,arial,sans-serif;padding-top:6px;padding-bottom:6px;"><center=
><table cellspacing=3D"0" cellpadding=3D"0" =
style=3D"border-collapse:collapse;"><tr><td style=3D"font-size:11px;font-f=
amily:LucidaGrande,tahoma,verdana,arial,sans-serif;padding:10px;background=
-color:#f2f2f2;border-left:1px solid #ccc;border-right:1px solid =
#ccc;border-top:1px solid #ccc;border-bottom:1px solid =
#ccc;">654156</td></tr></table></center></td></tr><tr><td =
style=3D"font-size:11px;font-family:LucidaGrande,tahoma,verdana,arial,sans=
-serif;padding-top:6px;padding-bottom:6px;"><div><span =
style=3D"color:#333333;font-weight:bold;">Didn't request this =
change?</span></div>If you didn't request a new password, <a =
href=3D"https://www.facebook.com/login/recover/disavow_reset_email.php?n=
=3D654156&id=3D816179667" =
style=3D"color:#3b5998;text-decoration:none;">let us know =
immediately</a>.</td></tr><tr><td style=3D"font-size:11px;font-family:Luci=
daGrande,tahoma,verdana,arial,sans-serif;padding-top:6px;"><a =
href=3D"https://www.facebook.com/recover/code?u=3D816179667&n=3D654156=
" style=3D"color:#3b5998;text-decoration:none;"><table cellspacing=3D"0" =
cellpadding=3D"0" width=3D"100%" bgcolor=3D"#4c649b" style=3D"border-colla=
pse:collapse;border-width:1px;border-style:solid;display:block;font-weight=
:bold;border-radius:3px;-webkit-border-radius:3px;-moz-border-radius:3px;f=
ont-size:14px;background:-webkit-gradient(linear, left top, left =
bottom,color-stop(0%, rgba(99,123,178,1)),color-stop(64%, =
rgba(76,100,155,1)));border-color:#485a83;box-shadow:inset 0 1px 0 =
rgba(255, 255, 255, 0.2),0 1px 2px rgba(0, 0, 0, 0.08);text-align:center;" =
class=3D"btn_confirm"><tr><td height=3D"7" colspan=3D"3" =
style=3D"line-height:7px;"> </td></tr><tr><td width=3D"16" =
style=3D"display:block;width:16px;"> </td><td width=3D"100%" =
style=3D"text-align:center;"><a href=3D"https://www.facebook.com/recover/c=
ode?u=3D816179667&n=3D654156" =
style=3D"color:#3b5998;text-decoration:none;display:block;"><center><font =
size=3D"3"><span style=3D"font-family:Helvetica Neue,Helvetica,Lucida =
Grande,tahoma,verdana,arial,sans-serif;font-weight:bold;font-size:14px;col=
or:#ffffff;text-shadow:0 1px 0 =
#415686;">Change Password</span></font></center></a></td><td =
width=3D"16" style=3D"display:block;width:16px;"> </td></tr><tr><td =
height=3D"7" colspan=3D"3" style=3D"line-height:7px;"> </td></tr></ta=
ble></a></td></tr></table></td></table></td></tr></table></center></td></t=
able></td></tr><tr><td style=3D"padding:0;width:100%;"><table =
cellspacing=3D"0" cellpadding=3D"0" width=3D"100%" =
style=3D"border-collapse:collapse;" id=3D"footer_table"><tr><td =
style=3D""><center><table cellspacing=3D"0" cellpadding=3D"0" =
width=3D"610" style=3D"border-collapse:collapse;"><tr><td =
style=3D""><table cellspacing=3D"0" cellpadding=3D"0" width=3D"610" =
border=3D"0" id=3D"footer" style=3D"border-collapse:collapse;"><tr><td =
style=3D"font-size:12px;font-family:Helvetica Neue,Helvetica,Lucida =
Grande,tahoma,verdana,arial,sans-serif;padding:18px 0;border-left:none;bor=
der-right:none;border-top:none;border-bottom:none;color:#6a7180;font-weigh=
t:300;line-height:16px;text-align:center;border:none;">This message was =
sent to <a href=3D"mailto:beckerfamily@floridabeckers.us" =
style=3D"color:#6a7180;text-decoration:none;font-family:Helvetica =
Neue,Helvetica,Lucida Grande,tahoma,verdana,arial,sans-serif;font-weight:b=
old;">beckerfamily@floridabeckers.us</a> at your request. Facebook, =
Inc., Attention: Department 415, PO Box 10005, Palo Alto, CA =
94303</td></tr></table></td></tr></table></center></td></tr></table></td><=
/tr></table></td></tr></table><span style=3D"width:100%;"><img =
src=3D"https://www.facebook.com/email_open_log_pic.php?mid=3Da872430G30a5e=
9d3G0G178G29129f32" style=3D"border:0;width:1px;height:1px;" =
/></span></td></tr></table></body></html>
--b1_7833a8c7c38f65544e5ddf3b132fa1f0--
Raw eMail.
Hmm...it looks to be legitimate. No links are connecting to or directing to any place other than Facebook, Bringing up the virtual machine and opening the link shows nothing but a legitimate Facebook page....
So what is really going on? I check on my wife's email to see if she received the same email since it listed her name on the email. Sure enough, identical email there too. It looks like that someone did try to log reset her password and Facebook was trying to protect. Sometimes link laden email is legitimate. Time to tune those Spidey Senses again.....