Scam impersonating emails from cPanel
Today 2 different accounts sent me an impersonating email from cPanel about the account related is almost full.
How may I can report this to you? Is there a way that cPanel could block this type of phishing/scam?
Never the less, I have already updated my filters to block emails like this, but think that cPanel should do a kind of KEY to prevent scammers to impersonate this or any other email coming from the OS in the servers.
Here are the related Email headers, I have suppressed any info about my servers or accounts:
======================
Received from IP 81.169.146.201:
====================== ====================== Received from IP 27.123.24.218: Received: from mail-62-r20.ipv4.per01.ds.network ([27.123.24.218]:50604) by WHIPED FROM REPORT (envelope-from <bmaproje@cp-wc87.per01.ds.network>) id WHIPED FROM REPORT for WHIPED FROM REPORT; WHIPED FROM REPORT Received: from cp-wc87.per01.ds.network (cp-wc87.per01.ds.network [103.67.235.61]) by halon-out02.au.ds.network (Halon) with ESMTPS id WHIPED FROM REPORT; WHIPED FROM REPORT DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=test.artworkexpert.com.au; s=default; h=Date:Message-Id:Reply-To:From: Content-Type:MIME-Version:Subject:To:Sender:Cc:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=TEqqyGSV1Ad5Xu2o/Hdb+/GyX/OKCfZWE2pkJHX/B1g=; b=MosumGZiICSi+YqtHjqIIvt42v ThIJfDOQR/Qw+RyfSG7TH4AWfazfN0Xz0FfMBOrvi9mNzvpfJyII79bX6gJ0qxKn0+IlCg9pqvu37 oXSocMdE+UmBVGojYC5orehkEOh5FZTQW9Pdid/2s65Ct1pWxBdK2jEiFMRbhSNnmplfYMVw8g8VL fobj0KEP+eQ5bc681alWwxKQ9KK+DGQAZkAOIOVmUhEZ0IY2ReBSLiVGf0TO+lA2ZJCRgL1FJ92XS mhZzDqRp5qjKO/TyMIodDIHBBj+fTX74Eb0T0aEa9YPJSj2Tcarh6q92zQoSzYADy4Inl92sSXpRj wIK5nbtw==; Received: from bmaproje by cp-wc87.per01.ds.network with local (Exim 4.94.2) (envelope-from <bmaproje@cp-wc87.per01.ds.network>) id WHIPED FROM REPORT for WHIPED FROM REPORT; WHIPED FROM REPORT To: WHIPED FROM REPORT Subject: [ WHIPED FROM REPORT ] WARNING The domain "WHIPED FROM REPORT" has reached their disk quota. X-PHP-Script: test.artworkexpert.com.au/class.lib.php for 91.207.102.163, 141.101.77.234 X-PHP-Filename: /home3/bmaproje/public_html/class.lib.php REMOTE_ADDR: 141.101.77.234 MIME-Version: 1.0 Content-Type: multipart/alternative;boundary=4e1ca46924d55f68a4d2093989c69b55 From: cPanel on WHIPED FROM REPORT <cPanelonWHIPED FROM REPORT@test.artworkexpert.com.au> Reply-To: cPanelonWHIPED FROM REPORT@test.artworkexpert.com.au Message-Id: @cp-wc87.per01.ds.network> Date: WHIPED FROM REPORT X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - cp-wc87.per01.ds.network X-AntiAbuse: Original Domain - WHIPED FROM REPORT X-AntiAbuse: Originator/Caller UID/GID - [3198 991] / [47 12] X-AntiAbuse: Sender Address Domain - cp-wc87.per01.ds.network X-Get-Message-Sender-Via: cp-wc87.per01.ds.network: authenticated_id: bmaproje/from_h X-Authenticated-Sender: cp-wc87.per01.ds.network: cPanelonWHIPED FROM REPORT@test.artworkexpert.com.au X-Source: X-Source-Args: X-Source-Dir: / ======================
Received: from mail-62-r20.ipv4.per01.ds.network ([27.123.24.218]:50604)
by WHIPED FROM REPORT
(envelope-from )
id WHIPED FROM REPORT
for WHIPED FROM REPORT; WHIPED FROM REPORT
Received: from cp-wc87.per01.ds.network (cp-wc87.per01.ds.network [103.67.235.61])
by halon-out02.au.ds.network (Halon) with ESMTPS
id 3e4f15c2-3586-11ec-bc81-f8bc1204ff90;
WHIPED FROM REPORT
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
d=test.artworkexpert.com.au; s=default; h=Date:Message-Id:Reply-To:From:
Content-Type:MIME-Version:Subject:To:Sender:Cc:Content-Transfer-Encoding:
Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:
Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id:
List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive;
bh=TEqqyGSV1Ad5Xu2o/Hdb+/GyX/OKCfZWE2pkJHX/B1g=; b=MosumGZiICSi+YqtHjqIIvt42v
ThIJfDOQR/Qw+RyfSG7TH4AWfazfN0Xz0FfMBOrvi9mNzvpfJyII79bX6gJ0qxKn0+IlCg9pqvu37
oXSocMdE+UmBVGojYC5orehkEOh5FZTQW9Pdid/2s65Ct1pWxBdK2jEiFMRbhSNnmplfYMVw8g8VL
fobj0KEP+eQ5bc681alWwxKQ9KK+DGQAZkAOIOVmUhEZ0IY2ReBSLiVGf0TO+lA2ZJCRgL1FJ92XS
mhZzDqRp5qjKO/TyMIodDIHBBj+fTX74Eb0T0aEa9YPJSj2Tcarh6q92zQoSzYADy4Inl92sSXpRj
wIK5nbtw==;
Received: from bmaproje by cp-wc87.per01.ds.network with local (Exim 4.94.2)
(envelope-from )
id WHIPED FROM REPORT
for WHIPED FROM REPORT; Mon, WHIPED FROM REPORT
To: WHIPED FROM REPORT
Subject: [ WHIPED FROM REPORT ] WARNING The domain "WHIPED FROM REPORT" has reached their disk quota.
X-PHP-Script: test.artworkexpert.com.au/class.lib.php for 91.207.102.163, 141.101.77.234
X-PHP-Filename: /home3/bmaproje/public_html/class.lib.php REMOTE_ADDR: 141.101.77.234
MIME-Version: 1.0
Content-Type: multipart/alternative;boundary=4e1ca46924d55f68a4d2093989c69b55
From: cPanel on WHIPED FROM REPORT
Reply-To: cPanelonWHIPED FROM REPORT@test.artworkexpert.com.au
Message-Id:
Date: Mon, WHIPED FROM REPORT
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - cp-wc87.per01.ds.network
X-AntiAbuse: Original Domain - WHIPED FROM REPORT
X-AntiAbuse: Originator/Caller UID/GID - [3198 991] / [47 12]
X-AntiAbuse: Sender Address Domain - cp-wc87.per01.ds.network
X-Get-Message-Sender-Via: cp-wc87.per01.ds.network: authenticated_id: bmaproje/from_h
X-Authenticated-Sender: cp-wc87.per01.ds.network: cPanelonWHIPED FROM REPORT@test.artworkexpert.com.au
X-Source:
X-Source-Args:
X-Source-Dir: /
====================== ====================== Received from IP 27.123.24.218: Received: from mail-62-r20.ipv4.per01.ds.network ([27.123.24.218]:50604) by WHIPED FROM REPORT (envelope-from <bmaproje@cp-wc87.per01.ds.network>) id WHIPED FROM REPORT for WHIPED FROM REPORT; WHIPED FROM REPORT Received: from cp-wc87.per01.ds.network (cp-wc87.per01.ds.network [103.67.235.61]) by halon-out02.au.ds.network (Halon) with ESMTPS id WHIPED FROM REPORT; WHIPED FROM REPORT DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=test.artworkexpert.com.au; s=default; h=Date:Message-Id:Reply-To:From: Content-Type:MIME-Version:Subject:To:Sender:Cc:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=TEqqyGSV1Ad5Xu2o/Hdb+/GyX/OKCfZWE2pkJHX/B1g=; b=MosumGZiICSi+YqtHjqIIvt42v ThIJfDOQR/Qw+RyfSG7TH4AWfazfN0Xz0FfMBOrvi9mNzvpfJyII79bX6gJ0qxKn0+IlCg9pqvu37 oXSocMdE+UmBVGojYC5orehkEOh5FZTQW9Pdid/2s65Ct1pWxBdK2jEiFMRbhSNnmplfYMVw8g8VL fobj0KEP+eQ5bc681alWwxKQ9KK+DGQAZkAOIOVmUhEZ0IY2ReBSLiVGf0TO+lA2ZJCRgL1FJ92XS mhZzDqRp5qjKO/TyMIodDIHBBj+fTX74Eb0T0aEa9YPJSj2Tcarh6q92zQoSzYADy4Inl92sSXpRj wIK5nbtw==; Received: from bmaproje by cp-wc87.per01.ds.network with local (Exim 4.94.2) (envelope-from <bmaproje@cp-wc87.per01.ds.network>) id WHIPED FROM REPORT for WHIPED FROM REPORT; WHIPED FROM REPORT To: WHIPED FROM REPORT Subject: [ WHIPED FROM REPORT ] WARNING The domain "WHIPED FROM REPORT" has reached their disk quota. X-PHP-Script: test.artworkexpert.com.au/class.lib.php for 91.207.102.163, 141.101.77.234 X-PHP-Filename: /home3/bmaproje/public_html/class.lib.php REMOTE_ADDR: 141.101.77.234 MIME-Version: 1.0 Content-Type: multipart/alternative;boundary=4e1ca46924d55f68a4d2093989c69b55 From: cPanel on WHIPED FROM REPORT <cPanelonWHIPED FROM REPORT@test.artworkexpert.com.au> Reply-To: cPanelonWHIPED FROM REPORT@test.artworkexpert.com.au Message-Id: @cp-wc87.per01.ds.network> Date: WHIPED FROM REPORT X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - cp-wc87.per01.ds.network X-AntiAbuse: Original Domain - WHIPED FROM REPORT X-AntiAbuse: Originator/Caller UID/GID - [3198 991] / [47 12] X-AntiAbuse: Sender Address Domain - cp-wc87.per01.ds.network X-Get-Message-Sender-Via: cp-wc87.per01.ds.network: authenticated_id: bmaproje/from_h X-Authenticated-Sender: cp-wc87.per01.ds.network: cPanelonWHIPED FROM REPORT@test.artworkexpert.com.au X-Source: X-Source-Args: X-Source-Dir: / ======================
-
As I said: "I have already updated my filters to block emails like this, but think that cPanel should do a kind of KEY to prevent scammers to impersonate this or any other email coming from the OS in the servers. " That could be better than creating rules for that, just my 2 cents. But thank you for answering back. Regards, Sergio 0 -
Thank you for the confirmation. There's no way for us to stop phishing emails from servers outside our control completely. However, we do take these matters seriously and strive to ensure legitimate cPanel emails can be easily determined to be real. 0 -
I've gotten a couple of these on my own personal domain. It looked completely legit enough to fool me. However as a rule I don't click on links in emails I'm not expected, I went to the account and realized the email was incorrect. When I examined the links I found that they were not going back to my server. Unfortunately, there is nothing that cPanel can do to block or prevent these emails, but I think we need to consider that sending emails with links in them in the first place is becoming problematic. I think cPanel should reformat their emails and remove the links to the accounts. Rather the email should say 'Please log into your account with the username: jsmithweb' for example and not provide a link so when users see a link they will know it is a scam. Obviously, the solution here is to create a closed system where messages about cPanel accounts are sent via push messages rather than email. cPanel should consider doing that as the cost wouldn't be very high and it would allow users to get messages that are secure. 0 -
Thank you for the feedback! 0 -
I still think that using a HASH code created by the server and added to emails sent by cPanel on that server would be easier. If the email misses that code or is incorrect the system could delete the email or mark it as spam. 0 -
I've just had several of these this week, and several of my customers have emailed me directly about it. Just blocked gnetwork@fmt06.web.com.ph & pplanguages@server.distecnoweb.co 0
Please sign in to leave a comment.
Comments
7 comments