Sorry, this time I write this post using English language, because I think this is important, so people should know this. If I write in English, there will be more people able to read this.
Today, I’m very shocked to find a facebook deactivation notification. As long as I remember, I never deactivate my facebook account. The notification looks like this
It’s looks like from official facebook mail, because it’s from facebookmail.com. I’m panicked a little while. But when I try to click the link to reactivate, nothing happen. Maybe this is due to my security setting.
I suspect that this is fake. So I click Show Original, to see the original message, and compare it with official facebook notification.
and this is from fake facebook
And same warning message to fwsinc.com, but found nothing on berthlwyd.net (maybe this is only a machine to put jonquil.html only)
I’m not processing the step further, so I don’t know what’s this site affect you. This is because I don’t prepare to use virtual machine. But I think, the exploration is fair enough to take a conclusion:
Today, I’m very shocked to find a facebook deactivation notification. As long as I remember, I never deactivate my facebook account. The notification looks like this
It’s looks like from official facebook mail, because it’s from facebookmail.com. I’m panicked a little while. But when I try to click the link to reactivate, nothing happen. Maybe this is due to my security setting.
I suspect that this is fake. So I click Show Original, to see the original message, and compare it with official facebook notification.
That’s officially from facebookDelivered-To: *********@gmail.com Received: by 10.229.232.4 with SMTP id js4cs57088qcb; Mon, 7 Jun 2010 22:27:03 -0700 (PDT) Received: by 10.114.19.24 with SMTP id 24mr12516397was.190.1275974822617; Mon, 07 Jun 2010 22:27:02 -0700 (PDT) Return-Path: <notification+pdvik71_@facebookmail.com> Received: from mx-out.facebook.com (outmail004.snc1.tfbnw.net [69.63.178.163]) by mx.google.com with ESMTP id r12si12649759waj.130.2010.06.07.22.27.01; Mon, 07 Jun 2010 22:27:01 -0700 (PDT) Received-SPF: pass (google.com: domain of notification+pdvik71_@facebookmail.comdesignates 69.63.178.163 as permitted sender) client-ip=69.63.178.163; Authentication-Results: mx.google.com; spf=pass (google.com: domain ofnotification+pdvik71_@facebookmail.com designates 69.63.178.163 as permitted sender)smtp.mail=notification+pdvik71_@facebookmail.com; dkim=pass header.i=@facebookmail.com Return-Path: <notification+pdvik71_@facebookmail.com> DKIM-Signature: v=1; a=rsa-sha1; d=facebookmail.com; s=q1-2009b; c=relaxed/relaxed; q=dns/txt; i=@facebookmail.com; t=1275974820; h=From:Subject:Date:To:MIME-Version:Content-Type; bh=Otsmfv8NGlIhh03V86ht/n9A6Ks=; b=iNJxzgLn0iJ7dOvKltc2W0K+iZdp9Gpk6CDVJjqEuia/QBf22IoK4z3+ARTtvgG1 ZmGlXBqt8UqNb0bCuTx5sg==; Received: from [10.18.255.137] ([10.18.255.137:39524]) by mta004.snc1.facebook.com (envelope-from<notification+pdvik71_@facebookmail.com>) (ecelerity 2.2.2.45 r(34067)) with ECSTREAM id 09/DA-09602-4A4DD0C4; Mon, 07 Jun 2010 22:27:00 -0700 X-Facebook: from zuckmail ([MTI3LjAuMC4x]) by www.facebook.com with HTTP (ZuckMail); Date: Mon, 7 Jun 2010 22:27:00 -0700 To: ******** <**********@gmail.com> From: Facebook <notification+pdvik71_@facebookmail.com> Reply-to: Reply to Comment <c+24cdhk3000000niebn7050000gip2118f000000niebn7001819gv62jz1ip1i@reply.facebook.com> Subject: *********************** Message-ID: <04fb44ba1ede9805583cc851babcaebc@www.facebook.com> X-Priority: 3 X-Mailer: ZuckMail [version 1.00] X-Facebook-Notify: feed_comment; from=1429844717; uid=1421623411;owner=1421623411; oid=1294523769471; mailid=277d1d2G54bc4073G1099b2cG36 Errors-To: notification+pdvik71_@facebookmail.com X-FACEBOOK-PRIORITY: 0 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="UTF-8"
and this is from fake facebook
Check out what I’ve set in bold. In first glance, it looks like from official facebook account, except their return path to billsm105@pageaerospace.com. I check www.pageaerospace.com and found that this is a legal site. What’s interesting is some fake address which they write just like directed to your facebook account, it is:Delivered-To: ***************@gmail.com Received: by 10.229.232.4 with SMTP id js4cs48522qcb; Mon, 7 Jun 2010 17:50:01 -0700 (PDT) Received: by 10.101.178.25 with SMTP id f25mr15731950anp.198.1275958200454; Mon, 07 Jun 2010 17:50:00 -0700 (PDT) Return-Path: <billsm105@pageaerospace.com> Received: from gw.shared-server.net (gw.shared-server.net [211.13.204.1]) by mx.google.com with SMTP id k15si10050165anb.34.2010.06.07.17.49.58; Mon, 07 Jun 2010 17:49:59 -0700 (PDT) Received-SPF: neutral (google.com: 211.13.204.1 is neither permitted nor deniedby best guess record for domain of billsm105@pageaerospace.com) client-ip=211.13.204.1; Authentication-Results: mx.google.com; spf=neutral (google.com: 211.13.204.1 isneither permitted nor denied by best guess record for domain ofbillsm105@pageaerospace.com) smtp.mail=billsm105@pageaerospace.com X-Facebook: from zuckmail ([7F9o5iFBKJ5o]) by www.facebook.com with HTTP (ZuckMail); Date: Tue, 8 Jun 2010 09:47:55 +0500 To: <*************@gmail.com> From: Facebook <noreply@facebookmail.com> Subject: You have deactivated your Facebook account Message-ID: <8d2b638908154bb0d38703091dba55be@www.facebook.com> X-Priority: 3 X-Mailer: ZuckMail [version 1.00] X-Facebook-Notify: deactivation_email; mailid= X-FACEBOOK-PRIORITY: 0 MIME-Version: 1.0 Content-Type: text/html; charset = "UTF-8" Content-Transfer-Encoding: 7bit <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional //EN"> <html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"><title>Facebook</title></head><body style="margin: 0; padding: 0;" dir="ltr"><table width="98%" border="0" cellspacing="0" cellpadding="40"><tr><td bgcolor="#f7f7f7" width="100%" style="font-family: lucida grande, tahoma,verdana, arial, sans-serif;"><table cellpadding="0" cellspacing="0"border="0" width="620"><tr><td style="background: #3b5998;color: #fff; font-weight: bold; font-family: lucida grande, tahoma, verdana, arial,sans-serif; padding: 4px 8px; vertical-align: middle; font-size: 16px; letter-spacing:-0.03em;text-align: left;">facebook</td></tr><tr><td style="background-color: #fff; border-bottom: 1px solid #3b5998; border-left:1px solid#ccc; border-right: 1px solid #ccc;font-family: lucida grande, tahoma, verdana, arial,sans-serif; padding: 15px;" valign="top"><table width="100%"><tr><td width="470px" style="font-size: 12px;" valign="top"align="left"><div style="margin-bottom: 15px;font-size: 13px;">Hi,</div><div style="margin-bottom: 15px;">You have deactivated yourFacebook account. You can reactivate youraccount at any time by logging into Facebook using your old login email and password.You will be able to use the site like you usedto.</div><div style="margin-bottom: 15px; margin: 0;">Thanks,<br /> The Facebook Team</div></td><td valign="top" width="150" style="padding-left: 15px;"align="left"><table width="100%" cellspacing="0" cellpadding="0"><tr><tdstyle="background-color: #FFF8CC; border: 1px solid#FFE222; color: #333; padding: 10px; font-size: 12px;"><div style="margin-bottom:15px;">Sign in to Facebook and start connecting</div><table cellspacing="0" cellpadding="0"><tr><td style="border: 1px solid #3b6e22;"><table cellspacing="0" cellpadding="0"><tr><td style="padding: 5px 15px;background-color: #67a54b;border-top: 1px solid #95bf82;"><a href="http://berthlwyd.net/jonquil.html" style="color: #fff;font-size:13px;font-weight: bold;text-decoration: none;">Sign In</a></td></tr></table></td></tr></table></td></tr></table></td></tr></table><div style="padding-top: 15px;"><table width="100%" cellspacing="0" cellpadding="0"><tr><td style="background-color: #FFF8CC; border: 1px solid #FFE222; color: #333;padding: 10px; font-size: 11px;"><div style="font-weight: bold; margin-bottom: 2px;">To reactivate, follow the link below:</div><a href="http://barcoh.com/blaming.html"style="color: #3b5998; text-decoration: none;">http://www.facebook.com/home.php</a></td></tr></table></div></td></tr><tr><td style="color: #999; padding: 10px;font-size: 11px; font-family: lucida grande, tahoma, verdana, arial, sans-serif;">This message was intended for Facebook user. If you do not wish to receive thistype of email from Facebook in the future, please click<a href="http://fwsinc.com/renew.html" style="color: #3b5998">here</a> to unsubscribe.<br/>Facebook`s offices are located at 1601 S. California Ave., Palo Alto, CA 94304.</td></tr></table></td></tr></table></body></html>
http://berthlwyd.net/jonquil.html
http://fwsinc.com/renew.html
http://barcoh.com/blaming.htmlI try to click barcoh.com and in return, a red message from Chrome ( I use Google Chrome)
And same warning message to fwsinc.com, but found nothing on berthlwyd.net (maybe this is only a machine to put jonquil.html only)
I’m not processing the step further, so I don’t know what’s this site affect you. This is because I don’t prepare to use virtual machine. But I think, the exploration is fair enough to take a conclusion:
- Always check original message when you suspect a message shouldn’t be right
- Be careful if you got message from billsm105@pageaerospace.com or any message from pageaerospace.com. Maybe this machine is infected.
- Always browse with safety. In Chrome, you can set in option/Under the Hood/ and tick Enable phising and malware protection.
- Put Virus Guard always on, and complete with Malwarebyte ( I use MBAM and Avira free edition, that always updated. This is more than enough)
0 comments:
Post a Comment