So this is a bit disturbing on multiple levels.
1 - who is request the password reset of my account and why? (though this is probably the least interesting or important question - my guess is it’s a script kiddie who found an email address from one of the public mailing lists and gave it a go for grins)
2 - the email says to let facebook know if i didn’t request this reset (which i did not), but doesn’t say how. why don’t they include that info?
2.1 - minor, but, so how do i actually let FB know? keep in mind that i don’t have an active account with FB right now and i don’t use any Meta products currently.
2.1.1 - and would FB actually care or do anything if i do tell them, or would i just be wasting my time?
3 - does Facebook still retain my account, in spite of the fact that I deleted it?
4 - if they do - how much? all of it?! is this more like LinkedIn’s hibernate, where the account is dormant and invisible but can be revived at any time?
The email is spoofed. It’s not actually from Facebook. When you click a link in the email, it will take you to a spoofed login page.
It’s a phishing attempt to try to both determine if you’re a real person or not, and to see if they can get you to enter your password information.
Don’t respond, just report it as a phishing attempt if you can and block the sender.
Actually I made a mistake here, I was looking at the plain text version. The HTML version includes a link to something like https : / / www dot facebook dot com /login/recover/cancel/?.. (edited by me for emphasis, the original is a normal URL).
I also double checked the headers, here’s a partial reproduction,
Received: from 69-171-232-139.mail-mail.facebook.com ([69.171.232.139])
by [my-real-email-server] with ESMTP/TLS/ECDHE-RSA-AES128-GCM-SHA256; 26 Mar 2025 16:20:55 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=facebookmail.com;
s=s1024-2013-q3; t=1743020453;
bh=B4Ulhc2xaqu9XVin5vViWBwU/IAvS6Uah/BO99nHCeg=;
h=Date:To:Subject:From:MIME-Version:Content-Type;
b=tEaquKdZ4v7ewQl6LX/dOaVlx1NdGBOelrquOaZBCQMNl6NwG4Bw/GdMOgiG9D5bQ
aWOau/PQ56oEo8FlnNdOGD/+cFhVP2tOp1QkqY4tuuew2LQk1RWbXdbCoFM41tkR+6
l5E3maBc/whwR8VM4nMjDx+zc9Efk6nOsQ7PQS/8=
X-Facebook: from 2803:6080:e858:7d5:dd4c:9dec:300:0 ([MTI3LjAuMC4x])
by www.facebook.com with HTTPS (ZuckMail);I’m not sure how to verify the DKIM but otherwise this actually looks legit.
The headers can be easily spoofed, as it’s the envelope that contains the relevant sender / receiver information.
From Proofpoint’'s “How Does Email Spoofing Work and Why Is It So Easy?”
How to spoof an email
The box in red above highlights the email’s envelope. Normally the envelope fields are filled out for the sender automatically during the translation of the header. Neither the sender nor the recipient usually sees this information. The stuff in blue is the header and body. This is the stuff you normally see when you open an email that was sent to you.
It is possible for the sender to tinker with the message header and spoof the sender’s identify so the email looks like it is from someone other than Dude1. Let’s break down how spoofing an emails identity works.
Say you have a friend that likes to play practical jokes on you. And you receive an email from them that says this:
Notice that the envelope fields are correct, but the From and Reply-To are false. When Dude1 receives this email, he may think it’s from his boss. When he hits “Reply” all he’ll see in the To: field is the “BossMan” name, but it will go back to his friend who spoofed the email, Dude2.
Cyber criminals can cleverly disguise an email in the same way and custom tailor it for their intended victims
For example, if a criminal wants banking credentials from his or her target, they can do the same thing Dude2 did, but instead of telling Dude1 that he got a raise, they can falsely represent themselves within the email as a trusted bank and direct the recipient to go to a fraudulent website.
So for what it’s worth, the email address in From: is [email protected] which makes it look legit. But I didn’t think this was worth pointing out because, as you and proofpoint dot com correctly state, most email headers are easy enough to forge, so that’s not a particularly reliable guideline.
However, that Received: header in particular is not. It’s the very last one in the email, and that one is written by the folks running my email service. See https://wordtothewise.com/2024/03/anatomy-of-a-received-header/ for an explanation on how these headers work. The short version is that my email service is telling me that they think that they really received this email from 69-171-232-139.mail-mail.facebook.com (though it’s possible that they were able to fool my email service via something else, like IP spoofing)
Worth nothing that the proofpoint dot com article doesn’t list the Received header as being one of the easy to spoof ones. (Of course, earlier Received headers can be suspect, say if one system in the chain is lying about where it received the email from - say to plant a false origin trail. But it must pass whatever forgeries it makes to a server that is beyond its control and (if it’s a good server) one that will faithfully record the next breadcrumb. So a spoofer doesn’t have that much control over the very last header.)
The other thing I should be doing is trying to verify the email via the DKIM signature as one was provided. This is also not so easy to forge because it uses cryptography. There are instructions on how to do this, see https://ediscoverychannel.com/2021/02/28/nothings-dkimpossible-manually-verifying-dkim-a-ctf-solution-and-implications/ and https://github.com/kmille/dkim-verify - but it’s quite complex and technical. (Also, never say never - see for example https://web.archive.org/web/20121026153703/http://www.hotforsecurity.com/blog/mathematician-impersonates-google-founder-to-point-out-dkim-flaw-4061.html and https://www.bitdefender.com/en-us/blog/hotforsecurity/google-apps-safe-from-dkim-vulnerability-says-google for a time when someone found a way past this. Edit: Here’s a more detailed link, https://blog.cryptographyengineering.com/2020/11/16/ok-google-please-publish-your-dkim-secret-keys/ )
Ultimately, I can’t say with 100% certainty that it’s legit, so even though it passes more tests than the usual phish would, just in case I followed your advice to avoid clicking on any links directly and notified FB via a manually typed out URL.
I don’t know but kudos on your user & domain handle, that’s impressive.
Thanks, it’s a side effect of hosting my own fediverse server (specifically it’s a pyfedi / piefed instance - see piefed.social )
I went ahead and manually typed out the link, just to let FB know that the requestor is fake. (Why type it manually? Just on the off chance that there’s something funky with hyperlinking that I missed, typing the URL manually makes sure that I’m going to the real FB and not some impostor’s one.)
