On 25 Jan 2013 I received a email entitled Re: LEGAL NOTICE OF SETTLEMENT OF CLASS ACTION from legalnotice <email@example.com>. When I opened the email and looked at the body it was formatted similarly to other notices of settlements I have received, both via email and snail mail. The email body looked legit, but the email, as a whole, felt weird.
The things that felt off:
- In my email box the sender was legalnotice. Normally, you'd see something more descriptive and authoritative such as, "Legal Notice from Facebook". The full From was legalnotice <firstname.lastname@example.org>, which didn't inspire more confidence since a) facebookmail.com is not facebook.com, a) anyone can register a domain name and, b) most spammers fake the From field.
- The Subject starts with Re:. I have received an endless amount of spam starting with Re:. It's usually a trick meant to make me think it's a response to a message I sent, so that I'll respond saying, "Huh, what attachement?"
- It seemed as if the message was from Settlement, c/o GCG, P.O. Box 35009, Seattle, WA 98124-1009, or GCG@fraleyfacebooksettlement.com. You may also contact Class Counsel, Robert S. Arns of the Arns Law Firm, by calling 1-888-214-5125 or by emailing email@example.com. It looked like a signature because it was the last line in the email. Why would GCG, P.O. Box 35009, Seattle, WA 98124-1009 send email from Facebook?
- P.O. Boxes are not confidence-inspiring.
- For more information I was referred to www.fraleyfacebooksettlement.com. Those spammers always want you to click on something.
- When I googled the domain facebookmail.com, the first few search results were about phishing. Which, you know, is another way of spelling fishing, as in, "fishing for information".
- There was one search result claiming that the email was real, but it was posted on a website called wcsh6.com. I have seen interweb bad guys set up websites to create the illusion of legitimacy. This is particularly common with health care products. You'll find a bunch of personal blogs raving about the product, but when you visit, the blog is curiously impersonal and very single-mindedly devoted to that particular product.
Things that seemed off about the email being off:
- The email was sent to the email address I used to register with Facebook.
- The email contained a single link, www.fraleyfacebooksettlement.com. It was very straightforward, no weird characters on the end, or anything (those characters that are used to identify the validity of an email address so that subsequent spam reaches a real person).
- The website, www.fraleyfacebooksettlement.com, was not a fake facebook.com. It was what the email stated: a website with more information about a proposed settlement of a class action lawsuit against Facebook, Inc.
- The email contained an email address, but no apparent subterfuge, such as encouraging me to "unsubscribe".
- The email said that I need to fill out a form if I wanted to be a Class Member (and get money), but had no link to, or further information, about the form.
- If this was a phishing attempt, then it was plainly attempting reverse psychology: hoping that the seeming absence of dishonesty would make me email my Facebook login credentials and credit card information to the email address provided.
What is facebookmail.com?It's a domain registered to Facebook, Inc.:
Facebook, Inc.It uses the same Domain Name Servers (DNS) as facebook.com:
1601 Willow Road
Menlo Park CA 94025
a.ns.facebook.comIt's possible to fake the registrar, but it probably wouldn't work for long with a large, well known company. Using the same DNS is harder, though. Since Facebook itself controls the DNS servers someone would have to hack those servers in order to complete the fakery.
I also found an article (about something unrelated) on about.com that said:
...Facebook notifications received by email are sent from a facebookmail.com address...
Where did the email come from?The email headers contains chain of servers the email was passed through:
Received: from [10.178.122.89] ([10.178.122.89:33369]) by smout064.snc7.facebook.comFirst, it was received by smout064.snc7.facebook.com from 10.178.122.89. 10.178.122.89 is a private IP, presumably part of Facebook's internal network. Second, it was received by mx.google.com from outmail006.snc7.facebook.com. Last, it says that it passed SPF, Sender Policy Framework, validation. SPF is a validation system that allows the receiving server to verify that the sender IP is authorized to send emails on behalf of the domain specified in the From field, firstname.lastname@example.org. Since 18.104.22.168 is a valid sender for facebookmail.com it is, by extension, a valid sender for Facebook. Google wouldn't lie about a thing like that.
Received: from mx-out.facebook.com (outmail006.snc7.facebook.com ([22.214.171.124]) by mx.google.com
Received-SPF: pass (google.com: domain of email@example.com designates 126.96.36.199
What is www.fraleyfacebooksettlement.com?According to the site itself, its purpose is to disseminate information about a settlement in the class action lawsuit, Fraley, et al. v. Facebook, Inc., et al., Case No. CV-11-01726 RS.
The headers have the logo GCG (GCG was referred to in the email "signature").
Fraleyfacebooksettlement.com is registered to:
Garden City GroupIf you google Garden City Group you'll find www.gcginc.com, same logo as above, gcginc.com is registered to:
1985 Marcus Avenue
Lake Success, New York 11042
The Garden City Group, Inc.According to the website itself*, GCG is
1985 Marcus Avenue
Lake Success, New York 11042
the recognized leader in legal administration services for class action settlements, bankruptcy cases and legal noticing programs. With over 1,000 employees in offices coast-to-coast, GCG has the people, experience and resources you need to handle any case.
Who is GCG, P.O. Box 35009, Seattle, WA 98124-1009?According to the GCG contact page, it has an office in Seattle.
Who is Class Counsel, Robert S. Arns of the Arns Law FirmArns Law Firm is a San Francisco based law form. One of its lawyers is Robert S. Arns. Perhaps "Bob" founded it. While Bob refers to himself as a family lawyer his firm appears to specialize in class actions.
When I called the phone number the email provided for Class Counsel, 1-888-214-5125, a recorded message told me that Arms Law Firm and Jonathan Jaffe Law are Class Counsel for in Fraley, et al. v. Facebook, Inc., et al., Case No. CV-11-01726 RS.
Jonathan Jaffe Law is another California based law firm, and while Arms Law Firm's website doesn't reference the Facebook settlement at all -- I couldn't find any links to ongoing cases -- Jonathan Jaffe Law's website does. Why? I have no idea.
Jonathan Jaffe "focuses primarily on consumer protection" and has a very imposing image of himself on the firm's About page.
Jaffe-law.com is registered to:
Jonathan Jaffe (firstname.lastname@example.org)
305 Hillegass Avenue
Jonathan Jaffe is an active member of the California State Bar. His record on the California State Bar's website lists the same address as his firm's whois record.
Bob Arms is, unsurprisingly, also an active member of the California State bar.
Who sends notice of a class action settlement?According to the Wikipedia page on Class Actions: "the court will usually direct the class counsel to send a settlement notice to all the members of the certified class, informing them of the details of the proposed settlement". That's clearly not what's happening here, since Facebook is the plaintiff.
According to the PDF, Judges’ Class Action Notice and Claims Process Checklist and Plain Language Guide (from 2010), available from the Federal Judicial Center, it's a bit more complicated than that, but the bottom line seems to be that notices should be sent in a way that ensures that it reaches as many Class Members as possible.
How do you look up a class action lawsuit?I don't know, but I googled Case No. CV-11-01726 RS and found the PDF, PRELIMINARY APPROVAL OF CLASS SETTLEMENT AND PROVISIONAL CLASS CERTIFICATION ORDER at http://digitalcommons.law.scu.edu. Presumably it's authentic.
Why did Facebook send this message?The PRELIMINARY APPROVAL OF CLASS SETTLEMENT AND PROVISIONAL CLASS CERTIFICATION ORDER says, "The Court finds that the method of providing notice to the Class and Minor Subclass Members proposed in the Settlement Agreement constitutes the best method for providing such notice that is practicable under the circumstances and constitutes valid, due, and sufficient notice to all Class and Minor Subclass Members..."
Wcsh6.com?Channel 6 NBS News Portland
Please note that I intended to use the word attorney instead of lawyer, but don't know the difference and ultimately was to lazy to search and replace.
Paranoid suspicion: it's almost as if Facebook was trying to make the notice look like spam.