Hacker News new | past | comments | ask | show | jobs | submit login

Forgive my ignorance here - but how did the fake email manage to have been signed by facebook.com? If anyone knows, I'd love a detailed explanation or a reference link. Thanks!



The article says that the scammer sent a _screenshot_ of the email (so the email was just photoshopped, and not actually signed by facebook.com).


My fault - thanks for the clarification.


Actually you don't even need photoshop. Firebug would do.


So will Chrome's built in developer tools. No bloated browser or third party tools required.


If you have access to their new facebook mail stuff, is it sent from an @facebook.com email address?


Yes, which is another bit of evidence that this is a fake - Facebook employees use @fb.com as their e-mails.


It's actually quite easy to fake an email address because SMTP doesn't authenticate the sender. For example, I can send someone (exampleperson@example.com) an email that appears to be from 'admin@facebook.com' with one line of php code:

<?php mail('exampleperson@example.com', 'Example Subject', 'Example Message', 'From: admin@facebook.com' ); ?>


That explains spoofing of the originating address; to generate a signed email surely you would need a set of certificates.


Oops I missed that. noonat's solution seems more likely then.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: