As long as companies operate their software on domains all over the place they are actively hurting security.
How do you explain to normal people that fbsbx.com is a totally legit facebook site they have nothing to worry about, while fbsby.com and fbsbz.com might be dangerous.
We put so much effort into keeping up domain trust and all this hard work is for nothing as long as this goes on.
I wrote about it a few days ago in response to Troy Hunt's FedEx post
[0]. To answer your question, one of the reasons they don't use their
own subdomains is that it's cheaper to delegate lots of support
services to third party providers. Another is to avoid "polluting"
their domains in the eyes of various reputation filters.
The first time I got an email from Facebook I thought it was a scam- because they don’t send their emails from Facebook.com they send them all through Facebookmail.com
Their help article about this seems to imply that they also use Metamail.com now, but checking my email I am seeing only seeing emails from addresses ending with @email.meta.com
Not sure about Meta but a lot of companies do this to preserve the domain reputation of their main domain, since sending mass or automated emails may degrade it and lead to things being marked as spam.
I have the exact same note with my government. They moved everything to one unified government.example site, all departments on it etc. Quite nice.
Then, over the years, little ‘marketing’/‘awareness’/‘speciality’ sites like governmentdrivesafe.example or governmentvaccines.example, or even governmentgetabusehelp.example (it’s actually a similar initialsm, but it’s a place with resources for people to get help), etc started popping up.
So many of these and all that work they did to have one ‘front’ or trusted place to visit is gone? Anyone can register a government<something>.example (they chose a public TLD)… just baffles me honestly. New content from department still appears on their “flagship” site, but also these one offs pop up as well.
They also have, and use, a url shortening service on their main domain (e.g. government.example/{taxes,vehicles,covid} redirects to the longer link on government.example) but instead some departments opt to register domains instead.
At least in FB’s case those might not be for their user’s use (the obscure fb<xyz>.example domains>)?
Has anyone else seen something like this in their local area?
Normal people just see facebook.com in their browser URL box and will never be dealing with the hundreds of different CDN domains it might be pulling from anyway, unless they're inspecting the HTML in dev tools.
Why does the list contain so many sub domains? Wouldn't it follow from facebook.com being meta owned that weird.subdomain.facebook.com is also meta owned?
Exactly, that is what I meant. The OP seemingly uses IP whois to identify meta (it is from a mastodon blocker). The condensed list removes subdomains to make it worse.
Full enumeration is useful for security research. For blocking purposes it can sometimes be helpful to enumerate it.
And on your question: it is most often the case that a subdomain is owned by the same entity, but it is not a given.
The most common thing is a CNAME to some site of a vendor. But you can go all the way to full subdomain delegation (this is the same as going from com. to facebook.com.).
The list is just a list of domains that CNAME to facebook.com (`www.paulfisher.net is an alias for facebook.com.`), this does not mean ownership by Meta.
Just because these hostnames point to FB IP addresses does not mean they're owned and operated by FB.
> 0-1.fb.me
> 0-7.fb.me
> ...
This lists a bunch of subdomains, ideally only the second-level domain names that can be owned by FB should be listed. Because anything under that is obviously FB.
Every single one of these fb.me domains and subdomains resolves to the same IPv4 and IPv6 address for me (like, there is a wildcard -- it accepts any subdomain). I think this list is poorly curated.
Everything before "corner" is Filipino and translated it means "I [am] the most handsome in Ph(ilippines)". Hard to explain how this comes across culturally. It's not particularly edgy, more cringe, the kind you'd find in someone's Friendster wall (MySpace never really for big there).
Really curious about `fb.me` now. Haven't seen a good-enough explanation in this thread and I can't be bothered to sleuth them up myself. I'm tending towards this list being not particularly well-curated.
"ako.pinaka.gwapo.sa.ph" resolves. I'm going to guess that something at Facebook isolates or maybe caches third-party content at <domain>.corner.static... etc.
It seems like DNS for fb.me returns the same address records for any subdomain. So anything you can conceive of .fb.me is valid -- e.g., dheera.fb.me. Ditto facebook.com.
The list is weird since it's not comprehensive. Even obvious domains whose WHOIS points at Meta and uses the facebook nameservers aren't there. There must be some weird dataset these are extracted from.
Workplace is essentially Facebook for business. It’s used internally at Meta, but also some large enterprise customers like Wal-Mart. Much better collaboration software than Slack et al in my experience.
I got to play around with Workplace a bit. It's 80% the same as Facebook and Messenger, but with a few changes to make it more appropriate for intra-office collaboration.
Count your blessings. It's like a version of FB that was forked in 2010 and is used by corps as an internal social network / project management system.
The UX is atrocious, it's extremely difficult to find anything and the permissions are a mess. I worked on a project that used it and was regularly tagged in threads I couldn't access or messaged by people whose names I couldn't see.
Most Big Tech companies have entry points and partnerships beyond their own ASN, e.g. Apple partnering with CloudFlare for Private Relay, so relying on ASN alone is insufficient.
Because TrueMove is the number two cellular provider in Thailand, LINE is the number one chat app in Thailand, and Thailand is one of the countries with the highest FB usage rates last time I saw such data...
How do you explain to normal people that fbsbx.com is a totally legit facebook site they have nothing to worry about, while fbsby.com and fbsbz.com might be dangerous.
We put so much effort into keeping up domain trust and all this hard work is for nothing as long as this goes on.