Update: It looks like Facebook fixed the default behavior of the sent emails. Your IP Address is no longer included in the notification emails. I will give Facebook credit that they solved this in less than 24 hours. Now, if they can just shore up some of the other issues...
Original Post:
Facebook has nice email notifications whenever a friend comments on your status, sends you a message, or a variety of other reasons. The emails have subjects similar to "John Doe commented on your wall post." The unfortunate thing is that this email also appears to contain John Doe's (or your other friend's) IP address.
The email headers contain a line similar to:
X-Facebook: from zuckmail ([MTAuMzAuNDcuMjAw])
Copy this line out and feed it to this page:
http://www.myiptest.com/staticpages/index.php/trace-email-sender
You will get the IP address of your friend and clicking on it will get a geolocation-based map. This will also show you if your friend used their cell phone to post and who they use as their service provider.
This information is great when a fugitive is taunting law enforcement through their Facebook page, but not when a wife is trying to hide from an abusive husband and assumes Facebook is the best form of communication.
This isn't the end of the world compared to some of Facebook's other privacy problems, however, there is simply no need for Facebook to include these IP addresses and it should be quickly fixed.
50 comments:
Actually this is a common method of combatting spam, all of the various spam providers will block facebook as a whole if they don't include this information, which would obviously be a devastating annoyance.
Go and send an e-mail from hotmail, or any kind of mailserver.. normal e-mail client, gmail, etc.. and you will see the exact same behavior... not to mention your IP is transmitted to every web site you visit on the internet, and even someone you talk to on MSN say - if you do a direct file transfer.
Actually, that's the email of the sending server that you refer to, Trent. Facebook is sending the IP address of the user that initiated the event. Two very different things insofar as privacy is concerned.
a devastating annoyance?
the user generated spam you receive from facebook if you're not a member is an even greater annoyance. i have a rule on my mailserver to discard mails from facebook for my inbox as i don't want to be notified every time another lemming pours their whole addressbook - which happens to contain my email address - into the facebook abyss of annoyance.
I think sending the IP address of the actual user is definitely a whole different can of worms than sending the IP address of the mail server. Anyway, facebook is really in trouble with privacy now and I hope they clean up their act because I'm very close to gone from there. Actually, I might just get off the internet alltogether with DirtyPhoneBook and other sites having the ability to spread my personal information without my permission. Facebook is very close to being a multi-billion dollar behemoth, but theres a chance they screw it up at the finish line due to greed and incompetence.
if a wife is trying to hide from her abusive husband, why would she comment on her husband's post or take an action that would send him a notification, or be friends on Facebook anyways?
Yeah, the abusive husband maybe wasn't the best example. Still doesn't take away from the privacy implications involved.
No, nearly all large email service providers will report the IP of the user, often via the X-Originating-IP header. This lets you perform spam analysis based on the apparent end user location rather than just the server.
It's very valuable data in antispam.
Vpn. Done!
I'm surprised at some of the backlash on this. Yes, if I originate an email I expect my IP address to appear in the header. But if Facebook originates an email (based on another user's settings that I have no control over), my IP address should not appear.
Imagine if by commenting here, this blog sent your IP address to everyone who commented before you. It's just not right.
Correct me if I'm wrong people, but the IP address that is shown will not reveal the location of the PC, but rather the location of the ISP that the PC uses. This could be literally states away from the physical location of the PC. This is still a bit of an issue, but not nearly as big as this post makes it seem. You can't find someones house through this information.
This does not give the IP address of the Facebook user. Facebook has multiple mail servers, the header that is shown just shows the IP address of the mail server that mailed out the notification, not of the facebook user.
Just a heads up
This isn't limited to just friends -- if I comment on a friend's photo, and someone else who has commented on that photo gets an email update, they will see my IP. It doesn't matter that we're not friends.
Also, yes, you can't find someone's house with this info, but take a look at a few of the (partially-obscured) hostnames reversed from IPs I grabbed from headers:
p0-0-0-0.nat.washington.edu -- University of Washington
0-0-0-0.nctc.mnscu.edu -- Northland College
0-0-0-0.phnx.qwest.net -- Phoenix (Qwest customer)
TrainReq: wrong, it does give the IP of the user.
To all of the people who bluster and sputter that this will make them leave Facebook - could you just go ahead and DO it already?
Every email in the world has the IP address of the originating sender. So what?
Mmm - didn't seem to work for me - it returned 127.0.0.1 as the IP address...
@Charles: yes, emails do contain a source header, but commenting on a Facebook page does not constitute sending an email.
@Matt C: a lot of the backlash is out of ignorance as to how much identification is presented by this information.
Whoever suggested a VPN is making a good call.
The more I know...thanks for post, as it starts a great discussion. I'm on FB but growing more paranoid of it by the week.
I checked mine last night. I was not all that concerned with Earthlink, Tampa Bay but when I clicked on the map, it put the pointer in a small town next to me, about 2 miles from my house. There are no server farms there and it's not on the same side of the bay as Tampa.
It was a lot closer than I expected.
They can't go back and delete all the e-mails from someone's inbox now though. Our IP addresses are still there for all to see. There's no way to fix what's already been done.
As some have pointed out, your IP is in standard email headers you send depending on your mail provider. It is also left in server logs when visiting sites (unless you use a proxy service).
There has to be a balance between privacy and accountability. People are taking to Facebook as a way to bully others and make irresponsible statements thinking they are free from any consequences from doing so. Not providing some means to link this back to the author removes accountability and causes people to behave differently than when held accountable.
Privacy is necessary, but not at a cost of removing all accountability. A society with no accountability is just as dangerous as one with no privacy.
This is the most significant event regarding privacy that has happened this year. The founding fathers would be proud of you.
I tested this and it only has the facebook email servers in the header... as it should.
We originally included IP address information in these email headers as part of industry best practices designed to improve spam filters. This is similar to what many webmail providers do. However, we agree this practice no longer makes sense for Facebook and we’ve discontinued it. Thank you for bringing this to our attention.
Best,
Barry
--
Barry Schnitt
Director, Policy Communications
Facebook
[email protected]
650.543.4979
Hi Barry,
Thanks for the comment and it's nice to see Facebook changed this particular practice.
You guys had an unfortunate week in the news as far as privacy concerns go. Has any of the recent press made Facebook consider new privacy options? Are there plans to give users more control over their privacy? The privacy options should be more restrictive by default and there are too many confusing options for the average user. I know more than a few people who would like to see things change.
Thanks,
Matt
This is an issue way back from 2009. Please read this post:
http://www.facebook.com/topic.php?uid=5484086268&topic=13871
When a wife is trying to hide from an abusive husband and assumes Facebook is the best form of communication?Why?Knowing her i.p. address will not give out her exact location,just her general one.
I've been well aware that my i.p. address can be found through just about any notification sent through an email from facebook for quite some time now,and I never had a problem with it.
If someone looks up my i.p. address,they will not get my exact location,it will show a different location each time.
Yes,this does protect the privacy of the other person.It is protecting the privacy of someone who has continually harassed and verbally abused myself and others on a discussion board many,many times.There are people on Facebook that bully and harass others.When their account is removed for it,they create another account with a fake name,and continue the same behavior.
It takes Facebook up to 3 to 5 days to remove the account(if they are even removed at all).In the meantime,there are humiliating and verbally abusive posts that show up on Google for that amount of time,and even longer.
What of our rights to have a general idea of who someone that sends us a friend request or replies to us on a message board might be?
Finding the i.p. address of the person helped to be able to identify,avoid them,and to be on the look-out for odd behavior.
On the other hand,the consequences of knowing someone's i.p. address are minimal.At the most,I believe someone could do a ddos attack(and you'd have to be quite a loser to do so.)It's a common misconception that someone knowing your i.p. address is a horrible thing.
If someone believes that,they should log off the internet and stay off it.
In my view,this was a giant step backward.
Of course,in a perfect world,Facebook would take bad behavior seriously and protect their users from this kind of thing,but anybody who has been on Facebook for any amount of time certainly knows that is not going to happen any time soon.
does not work with hotmail
I am so relieved someone else has raised this issue!! Thank you Anonymous ... You've hit the nail right on the head!!
can people still see my ip address on facebook now then?
but someone copied my profile picture.and made an fake account by using my picture..
now how can i get the i.p address of that person??
same is with my daughter Id somebody has made a fake id on her name face book authority didnot help even after pressing report / block by many people.
I want facebook authorities to atleast release some identification in mail headers or so in case such abuse is happening & especially when there own response to such abuse is slow. What you say Barry???????
If anybody know anything cracking IP address of message sender via facebook please help.
Hear, hear! I'm a consultant teaching social media in Danish primary school. One worry is troublemakers ruining the schools Facebook Pages opening false fb-profiles and harassing other students. Can we somehow track these false profiles? Can Facebook help us - any standard on the subject? Anyone have some advice?
Thanks by the way for the post!
I can't see why privacy is such an issue for people unless they are hiding something? I have been stalked by someone on FB who apparently from the messages may be following me in real life- they know way too much. I can't really file a police report with no actual physical threats, but I don't know who to file a protective order against. Since FB obviously values privacy in the favor of such maniacs over the peace of mind of peaceful citizens, can someone at least tell me where I can get contact info for FB administrators to trace these horrific and scary messages? I got no reply from merely blocking and reporting the person and it appears to have spilled over from internet to real world stalking. HELP!
When i chk d msg header in outlook 2007 for d above line..i get ip as 127.0.0.1..i.e my own ping addr..hw do i get IP frm d FB msg..plz tell me
So is there any way to tell what Facebook app is being used to create the formatted message being piped to zuckmail?
I've gotten a series of invites to join Facebook, sent in some cases to long-disused email addresses of mine - presumably by clueless (ex?) friends. I want to report the apps they used as abusive and misleading - if not find ways of blocking them more effectively.
I piped the X-Facebook header to the MyIPTest tool for which Matt posted a link, and the hashtag decodes to 127.0.0.1
From these headers it appears to be a single standardized and Facebook-approved app with a form that any dummy can use.
From: facebookspammer-evidently-made-up-name-whatevertheywanted@myISP,
on Facebook [including the comma after myISP]
Reply-to: noreply
Subject: Check out facebookspammer
Message-ID: <[msgid]@www.facebook.com>
X-Priority: 3
X-Mailer: ZuckMail [version 1.00]
X-Facebook-Notify: fbpage_ci_invite; mailid=thirty-byte-hash
Errors-To: [email protected]
X-FACEBOOK-PRIORITY: 1
MIME-Version: 1.0
I've gotten two of these from two seemingly-unrelated senders in the last two days.
Can you still trace the IP address from these notifications? If so, how do I get the header information from a facebook notification?
i have one doubt- if i post on my friend's wall can anybody else get my ip address??
they obviously cant get an email as i've posted it separately! but can they track my ip add. without an email just by the profile id, or something???
~~~~~~PLEASE reply to the above question, fb's lack of privacy n cyber stalkers make the situation worse~~~~~~~
now no way to know the ip adress from sender facebook message
Geez why do facebook removed that.. It is not working now right??
Hello,
I am trying to Find IP as per above comment, But am getting Mail server 127.0.0.1 localhost
Can anyone help me
Vikrant! That means the killer is inside the house!
can not work again ....
Each have a same Ip,
This is fake facebook is not a local site which will give out people's ip's like this.
Is this fake or true?
can some one hack ones ip adress on facebook and can find the exact location.........of the user
Everybody posting in 2011...this is old news and has been fixed.
2 you want to keep your privacy from bullys and such? dont have them as friends and learn2proxy.
a proxy server hides your real ip address from the common feinds. facebook or the police themselves can still track you and catch you in a cybercrime. but bullys caint get ur real ip address if you use a proxy.
Also it takes a good hacker and slueth to figure out your real address from your ip.
u have nothing to worry about folks.
Its not working anymore :( I think facebook should include the IP address of the fb users in our email headers :D
Thats your own ip address.... fools.. its not your friends check it...
Post a Comment