Symptoms
You are receiving similar emails from your own domain while your account or email account may or may not be close to reaching its quota.
Description
Unfortunately, these are fake, phishing emails not sent by cPanel on your server. These emails are disguised as they are coming from your own server and they try to navigate you to a fake website hoping that you will enter your cPanel login credentials. If you do that, then they will steal your cPanel login credentials.
To view the real sender of the email, follow our article to vie the email headers:
How to find email headers
Here is an example from one of the emails:
X-AntiAbuse: Primary Hostname - attacker.example.com
X-AntiAbuse: Original Domain - yourdomain.com
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - yourdomain.com
X-Get-Message-Sender-Via: attacker.example.com: authenticated_id: info@anotherdomain.com
You can see that the email originates from a server named attacker.example.com.
Workaround
If you have navigated to the fake link and inputted your cPanel login credentials, then change your cPanel account password as soon as possible:
How to reset a cPanel User’s Password
If you found the server that sent the email within the email headers then you can blacklist its IP address that way any future credential-stealing emails will be refused by your server.
In the below example the server that sent the email is example.com. We can get the IP address of the server with the host command.
host example.com
example.com has address 93.184.216.34
Now that we know the IP address, we can blacklist it in WHM:
How to blacklist IPs from connecting to the SMTP server
Comments
0 comments
Article is closed for comments.