Skip to main content
We are aware of an issue with a recent Apache update that causes proxied sites to return a "421 Misdirected Request" error. Please see the following article for more information and updates:
Websites show 421 Misdirected Request error while using EA Nginx

New? Phising email from cPanel

MrIver
Hej Guys and girls, One of ur clients have reported a phising email from Cpanel: It goes: Subject : [customer-domain.com] cpanel@customer-domain.com Content: Your domain will get suspended in 2 days due to inactivity on your cPanel account. To roll back this action, please log in to your cPanel now and save your account! [login-button] - leads to To all emergency services workers, thank you The following domains will get suspended: customer-domain.com cpanel.customer-domain.com cpcalendars.customer-domain.com cpcontacts.customer-domain.com mail.customer-domain.com webdisk.customer-domain.com webmail.customer-domain.com whm.customer-domain.com Thanks!

Comments

3 comments

Date Votes
  • cPanelLauren
    Hello, This isn't sent by cPanel and this is definitely a phishing email and spam software, I'd think would catch it. Are you using SpamAssassin? I had another user today with the same issue here:
    0
  • MrIver
    Hi Lauren, Thank you for getting back. Just to follow up on my own question:
    • How do we check if any other cliens have gotten this email? // we used the "Email Delivery Report" in WHM to find the incoming email and search for similar emails to send to our clients. Luckely only one had recieved it.
    • Can we create a global email-filter on the server to block all emails to clients contaning "AutoSSL certificate expired" (Which our clients would never get a email about) // We have now created a custom filter that among other things block all incoming emails containg "AutoSSL certificate expired" in the header as well as emails coming from "cpanelautossl(.)ru", as the email was not picked up by spamassasin.
    Here is the full headers: Return-Path: Delivered-To: xxx@XXX Received: from [our-host] by [our-host] with LMTP id WumBOXJvh14kZjMA06Cz+w (envelope-from ) for ; Fri, 03 Apr 2020 19:16:34 +0200 Return-path: Envelope-to: xxx@xxx Delivery-date: Fri, 03 Apr 2020 19:16:34 +0200 Received: from cockroach.larch.relay.mailchannels.net ([23.83.213.37]:21027) by [our-host]with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.93) (envelope-from ) id 1jKPvj-00E7jP-5C for xxx@xxx; Fri, 03 Apr 2020 19:16:34 +0200 X-Sender-Id: n3qhlh5e81|x-authuser|webdesi4@server18.thcservers.com Received: from relay.mailchannels.net (localhost [127.0.0.1]) by relay.mailchannels.net (Postfix) with ESMTP id F06BD121416 for ; Fri, 3 Apr 2020 17:15:47 +0000 (UTC) Received: from server18.thcservers.com (100-96-14-17.trex.outbound.svc.cluster.local [100.96.14.17]) (Authenticated sender: n3qhlh5e81) by relay.mailchannels.net (Postfix) with ESMTPA id A85821212C8 for ; Fri, 3 Apr 2020 17:15:46 +0000 (UTC) X-Sender-Id: n3qhlh5e81|x-authuser|webdesi4@server18.thcservers.com Received: from server18.thcservers.com (server18.thcservers.com [193.29.187.158]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384) by 0.0.0.0:2500 (trex/5.18.6); Fri, 03 Apr 2020 17:15:47 +0000 X-MC-Relay: Good X-MailChannels-SenderId: n3qhlh5e81|x-authuser|webdesi4@server18.thcservers.com X-MailChannels-Auth-Id: n3qhlh5e81 X-Power-White: 171518e32141f3c1_1585934147457_1698614530 X-MC-Loop-Signature: 1585934147457:3691641584 X-MC-Ingress-Time: 1585934147457 Received: from [::1] (port=33615 helo=localhost) by server18.thcservers.com with esmtpa (Exim 4.93) (envelope-from ) id 1jKPuy-000Cdh-67 for xxx@xxx; Fri, 03 Apr 2020 20:15:44 +0300 From: "cPanel on xxx" To: "xxx@xxx" Reply-To: "cPanel on xxx" Date: Fri, 03 Apr 2020 17:15:44 +0000 Subject: =?utf-8?B?W3VuZGVybGluZGV0cmFldC5ka10gdW5kZXJsaW5kZXRyYWV0LmRrOiBBdXRvU1NMIGNlcnRpZmljYXRlIGV4cGlyZWQgb24gMy8yOS8yMCBVVEM=?= Message-ID: <5e876f4029d36@webdesign.com> Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: 7bit MIME-Version: 1.0 X-AuthUser: webdesi4@server18.thcservers.com X-Spam-Status: No, score=4.6 X-Spam-Score: 46 X-Spam-Bar: ++++ X-Ham-Report: Spam detection software, running on the system "[our-host]", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see root\@localhost for details. Content preview: Your domain will get suspended in 2 days due to inactivity on your cPanel account. To roll back this action, please log in to your cPanel now and save your account! Log in The following domains will get suspended: Content analysis details: (4.6 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: cpanelautossl.ru] 1.5 BAYES_60 BODY: Bayes spam probability is 60 to 80% [score: 0.7230] 1.5 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail) 1.5 KAM_MXURI URI: URI begins with a mail exchange prefix, i.e. mx.[...] 0.0 HTML_MESSAGE BODY: HTML included in message 0.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts X-Spam-Flag: NO
    0
  • cPanelLauren
    So SpamAssassin is .4 away from flagging it as spam :/ I'd add the originating domain/s to the blacklist for SA at the very least. Our legal team got back to me last night and let me know this is being handled and the site should be taken down soon but until then, adding some extra rules may be helpful.
    0

Please sign in to leave a comment.

Didn't find what you were looking for?

New post