Is [email protected] legitimate?
I'm having a hard time figuring out whether this email a friend of mine got is legit or a scam. The weird thing is there's only one link to facebook.com, which is the one about facebook terms. All the others are linking to em.facebookmail.com with a very long funny characters to follow. Another thing that raised suspicion was a particular grammar error and one link in Spanish. I tried searching online but all I got was opinions that are hardly believable.
What should I do to check whether it's legitimate or not?
Amusingly, if you go to em.facebookmail.com you get redirected to an advertisers site: https://policy5.responsys.net/permission.htm
@D3C4FF The domain was registered by Facebook through an affiliate brand protection company. Makes some sense that it'd redirect.
Looks like the source domain is legit to me. Here's the whois result for the domain:
Registrant: Domain Administrator Facebook, Inc. 1601 Willow Road Menlo Park CA 94025 US [email protected] +1.6505434800 Fax: +1.6505434800 Domain Name: facebookmail.com Registrar Name: Markmonitor.com Registrar Whois: whois.markmonitor.com Registrar Homepage: http://www.markmonitor.com Administrative Contact: Domain Administrator Facebook, Inc. 1601 Willow Road Menlo Park CA 94025 US [email protected] +1.6505434800 Fax: +1.6505434800 Technical Contact, Zone Contact: Domain Administrator Facebook, Inc. 1601 Willow Road Menlo Park CA 94025 US [email protected] +1.6505434800 Fax: +1.6505434800 Created on..............: 2006-01-23. Expires on..............: 2018-01-23. Record last updated on..: 2012-09-28. Domain servers in listed order: a.ns.facebook.com b.ns.facebook.com
However, this doesn't mean the email is real. It could've had its source address spoofed. Check the headers on the email to see if the source SMTP server is legitimate, and if the return address is valid. You can also contact Facebook's security team to inquire about the potential phishing attempt, and provide them with the embedded links - they might represent an XSS or other attack on Facebook itself.
Sounds strongly like it is a phishing attempt. The best bet is always to contact the party the e-mail claims to be and forward them the message. They can confirm or deny if it is a fake and it is good to let them know about the fakes that are going on out in the wild.
Update: Facebook does send legit e-mails from this domain, but there are also a LOT of phishing attempts that also pretend to be from this domain. From what I've been reading, it looks like the links should be to facebook.com if it is legit. If you can mention what some of the actual hyperlink target's are of the e-mail we might be able to be of more assistance.
Also, contacting Facebook is still going to be the most authoritative answer you can get.
Ok, this appears to be valid to me. It appears that the website is run by a marketing company responsible for e-mail advertisements for Facebook. The link appears to be a click-tracker that redirects to Facebook.com. No guarantee if all the links are valid though as the misspelling is a big red flag.
You asked if @em.facebookmail.com legitimate?
I performed some quick online IP reputations scans check from notable online vendors and here is the response. Quick snapshots.
Total tests performed 3 Test passed 3
Its most certain that infact an spam relay / server was used to sent this email; you can look at the header and see where the email originated from. From there you can do the reverse dns lookup to see if the tests passed. If its spam' its gonna fail in the results.
There is debate on a similar phishing attack analysis done by someone on the internet. Just like in your case, someone too has been alerted on the use of specific language native / local to his context or use. E.g Malastname1 comments.
"Its most certain that infact an spam relay / server was used to sent this email" - I disagree. It could simply be a legit email from Facebook, with a broken template or data glitch causing the Spanish text in the link. After all, Facebook's email templates and features are written by people, and people make mistakes.
Can you provide some redacted headers? It's always possible to fake the source address.
If there were links the email itself, check that those are actually on the
facebook.comdomain. I would be more concerned about the content and were it wants you to go then where it came from if you are worried about the legitimacy.
Usually if Facebook wants you to perform some action, it will be there when you log in via notification, if the actual link or message does not instruct you to visit
facebook.comthat would be suspicious, because why would Facebook tell you to go directly to someone else's site? Even if they wanted you to visit a partner site, they would probably redirect you through a tracking link on
I'm not meaning to be nonconstructive - as I hate people that question the question rather than simply providing the answer - but is it necessary to click on the link if there is any doubt? I imagine perhaps a safer solution would be to log into facebook in a typical manner and navigate to whatever page is outlined in the email rather than directly linking to it.
Better safe than sorry.
But specifically on the validity of the domain, sorry I'm not sure, but it seems others have answered that better than I anyway.