Interesting information published on the OSI website related to falsification of messages on Facebook. As many will know, for a long time we users can have an address of the type @ facebook.com with our name (+ info).
Well, using that address and the main email associated with an account (you can see it in the Information tab of many profiles), it is possible to falsify a private message in such a way that the recipient believes that it is being sent by one of their friends .
Let's see an example, what I do is send a message to my own account @ facebook.com falsifying the sender,in this case by my own e-mail, but I could use that of any friend so that the message seems to be sent from their account. I send the message from an anonymous email service:
The first message is false and as you can see the only difference is a small yellow warning that its origin could not be confirmed. However, this could go unnoticed by many users.
Major problem: warning doesn't always show
In Facebook applications for phones and tablets the warning does not appear, also when the counterfeit email is an address with own domain (email@example.com) something that may be happening because the domain is not configured to prevent unlawful uses or Facebook is not doing a good anti-phishing check …
On this last topic, I recommend this series of articles published by Chema Alonso. Also read on Wikipedia about SMTP (the mail transfer protocol) and the SPF and DKIM authentication systems.
To prevent them from misleading others under your name, do not post the account's primary email address on the profile. You can hide it from the Information / Contact information / Edit section:
And as always, be very careful with the messages you receive on Facebook, even if they seem to be sent by a trusted friend!
See also: Forge sender in text messages.