About:
We've been monitoring a pharmacy spam campaign for some time that shows no decline in message volume. This campaign attempts to forge the message header and body content to look like a real message from Facebook.
Often the HTML structure and message headers are identical to messages sent by Facebook. The messages include a From header that makes it seem like Facebook is the sender, although not all forge Facebook's domain, facebookmail.com. Examples include:
Facebook [update+some_id]@facebookmail.com
Facebook [notification+some_id]@notifierfacebook.com
Facebook [notification+some_id]@textfacebook.com
Facebook [notification+some_id]@facebookmail.com
Facebook [notification+some_id]@clockfacebook.com
Facebook [notification+some_id]@notifierfacebook.com
Facebook [notification+some_id]@balloonerfacebook.com
Facebook [notification+some_id]@balloonsfacebook.com
Facebook [notification+some_id]@facebookjailed.com
Samples of the phony message subject lines include many that are found in legitimate Facebook emails.
Subject: Getting back onto Facebook
Subject: You have 4 lost messages on Facebook...
Subject: You have 3 lost messages on Facebook...
Subject: You have 1 lost message on Facebook...
Subject: You have 2 lost messages on Facebook...
Subject: [random first name][random last name] sent you a message on Facebook...
Subject: Hi, you have notifications pending
Subject: Facebook has sent you a notification...
Subject: Facebook Administration has sent you a message
Subject: Oops.. You have notifications pending
Subject: You have 3 lost messages on Facebook...
Subject: You have notifications pending
Subject: New notification from Facebook
True Facebook messages are sent by IPs under the control of Facebook. And all legitimate Facebook emails contain links to domains under Facebook's control, such as facebook.com. But the spam messages are sent via many different spambots and compromised hosts throughout the world.
The spam emails direct users to domains under the control of the spammers, which are typically compromised legitimate domains. Currently the website is a basic page asking the reader to "Buy Viagra Online." This page links to one of many "Pharmacy Express" templates.
This campaign exploits users who allow Facebook to send them too many notifications, which could prevent these messages from being scanned and identified as spam. The spammers are counting on the fact that users are more likely to click on a link in the message if they believe it comes from a legitimate source like Facebook.