From: Facebook [password+mxxayybx@facebookmail.com]
Date: 14 January 2008 03:02
Subject: Facebook Password Security Alert

Hey [my first name],

We have reset your Facebook account password for security reasons. You will need to use the link provided in this email to create a new, secure password for your account. In the future, please make sure that when you log in to Facebook, you always log in from a legitimate Facebook page with the facebook.com domain. To reset your password, follow the link below:

https://login.facebook.com/reset.php?email=[my email address]&cc=[random string of numbers and letters]&tt=[random string of numbers]
(If clicking on the link doesn’t work, try copying and pasting it into your browser.)

Please contact info@facebook.com with any questions.

Thanks,
The Facebook Team

I got the above email this morning. I saw “We have reset your Facebook account password” and groaned. “Why must they do this?” I thought.

After reading the entire message, I thought it sounded a little fishy. I looked at the “from” address: “facebookmail.com, a-ha!”. Just as I was about to click the “report spam” button, I saw the link in the email started with https://login.facebook.com/. I hovered over the link, and it indeed led to where it said it would lead.

The easiest way to determine if a message is a scam is by looking at the link address. If it does not begin with https://login.facebook.com/, it is not a legitimate email.

Hackers will try to send you to address that look like Facebook, but are actually something like http://www.facebook.loginfb83920.com/, which will take you to the site loginfb83920.com and not facebook.com. (Make sure to hover your cursor over the link and look at the bottom left of your screen; the hacker can easily disguise a link to look like this: https://www.facebook.com/ but it will actually take you to a different site.)

Everything on the email is spelled correctly. If this a scam, they’ve done a nice job; scam emails are notorious for poor spelling and grammar.

Adding more legitimacy, my name is in the message, and there’s no way of deducing my name just from my email address. Hmm…

I click the “report spam” button anyway and go to Facebook (not using the link in the email). That’s strange; I’m logged out. But no biggie, that happens occasionally.

I use different passwords for different sites, and I’m usually automatically logged in, so I had forgotten which particular password I used for Facebook. I tried a few different passwords, but it still wasn’t working. I clicked the “forgotten password” link and got another email from that same address with the same link (except that the cc and tt numbers in the URL were different). I clicked on the link on the email *I* requested and changed my password. Now, I’m logged in properly.

facebookmail.com is the official address of Facebook email notifications. However, email addresses can be easily spoofed, so mail from facebookmail.com may not actually be from Facebook.

The sender’s address being @facebookmail.com and not @facebook.com definitely set off an alarm. That was a really poor choice on Facebook’s part, sending official emails from a different domain.

This appears, at the time of writing (January 2008), to be a fairly new issue, since only a TechCrunch comment and a LiveJournal entry have mentioned this email, both from this earlier month.

So is it a scam, or is it legitimate? My password had definitely been changed. But why would Facebook do this? It’s not a particularly good practice.

Update: David and mickeysix have left some comments below with good information on the issue, explaining how it might be a scam. Scroll down to read them.