Scam impersonating emails from cPanel

[Secmas]

Today 2 different accounts sent me an impersonating email from cPanel about the account related is almost full.

How may I can report this to you? Is there a way that cPanel could block this type of phishing/scam?

Never the less, I have already updated my filters to block emails like this, but think that cPanel should do a kind of KEY to prevent scammers to impersonate this or any other email coming from the OS in the servers.

Here are the related Email headers, I have suppressed any info about my servers or accounts:
======================
Received from IP 81.169.146.201:

Received: from mail-62-r20.ipv4.per01.ds.network ([27.123.24.218]:50604)
    by WHIPED FROM REPORT
    (envelope-from <[email protected]>)
    id WHIPED FROM REPORT
    for WHIPED FROM REPORT; WHIPED FROM REPORT
Received: from cp-wc87.per01.ds.network (cp-wc87.per01.ds.network [103.67.235.61])
    by halon-out02.au.ds.network (Halon) with ESMTPS
    id 3e4f15c2-3586-11ec-bc81-f8bc1204ff90;
    WHIPED FROM REPORT
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
    d=test.artworkexpert.com.au; s=default; h=Date:Message-Id:Reply-To:From:
    Content-Type:MIME-Version:Subject:To:Sender:Cc:Content-Transfer-Encoding:
    Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:
    Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id:
    List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive;
    bh=TEqqyGSV1Ad5Xu2o/Hdb+/GyX/OKCfZWE2pkJHX/B1g=; b=MosumGZiICSi+YqtHjqIIvt42v
    ThIJfDOQR/Qw+RyfSG7TH4AWfazfN0Xz0FfMBOrvi9mNzvpfJyII79bX6gJ0qxKn0+IlCg9pqvu37
    oXSocMdE+UmBVGojYC5orehkEOh5FZTQW9Pdid/2s65Ct1pWxBdK2jEiFMRbhSNnmplfYMVw8g8VL
    fobj0KEP+eQ5bc681alWwxKQ9KK+DGQAZkAOIOVmUhEZ0IY2ReBSLiVGf0TO+lA2ZJCRgL1FJ92XS
    mhZzDqRp5qjKO/TyMIodDIHBBj+fTX74Eb0T0aEa9YPJSj2Tcarh6q92zQoSzYADy4Inl92sSXpRj
    wIK5nbtw==;
Received: from bmaproje by cp-wc87.per01.ds.network with local (Exim 4.94.2)
    (envelope-from <[email protected]>)
    id WHIPED FROM REPORT
    for WHIPED FROM REPORT; Mon, WHIPED FROM REPORT
To: WHIPED FROM REPORT
Subject: [ WHIPED FROM REPORT ] WARNING The domain "WHIPED FROM REPORT" has reached their disk quota.
X-PHP-Script: test.artworkexpert.com.au/class.lib.php for 91.207.102.163, 141.101.77.234
X-PHP-Filename: /home3/bmaproje/public_html/class.lib.php REMOTE_ADDR: 141.101.77.234
MIME-Version: 1.0
Content-Type: multipart/alternative;boundary=4e1ca46924d55f68a4d2093989c69b55
From: cPanel on WHIPED FROM REPORT <cPanelonWHIPED FROM [email protected]>
Reply-To: cPanelonWHIPED FROM [email protected]
Message-Id: <[email protected]>
Date: Mon, WHIPED FROM REPORT
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - cp-wc87.per01.ds.network
X-AntiAbuse: Original Domain - WHIPED FROM REPORT
X-AntiAbuse: Originator/Caller UID/GID - [3198 991] / [47 12]
X-AntiAbuse: Sender Address Domain - cp-wc87.per01.ds.network
X-Get-Message-Sender-Via: cp-wc87.per01.ds.network: authenticated_id: bmaproje/from_h
X-Authenticated-Sender: cp-wc87.per01.ds.network: cPanelonWHIPED FROM [email protected]
X-Source:
X-Source-Args:
X-Source-Dir: /

======================

======================
Received from IP 27.123.24.218:
Received: from mail-62-r20.ipv4.per01.ds.network ([27.123.24.218]:50604)
by WHIPED FROM REPORT
(envelope-from <[email protected]01.ds.network>)
id WHIPED FROM REPORT
for WHIPED FROM REPORT; WHIPED FROM REPORT
Received: from cp-wc87.per01.ds.network (cp-wc87.per01.ds.network [103.67.235.61])
by halon-out02.au.ds.network (Halon) with ESMTPS
id WHIPED FROM REPORT;
WHIPED FROM REPORT
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
d=test.artworkexpert.com.au; s=default; h=Date:Message-Id:Reply-To:From:
Content-Type:MIME-Version:Subject:To:Sender:Cc:Content-Transfer-Encoding:
Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:
Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id:
List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive;
bh=TEqqyGSV1Ad5Xu2o/Hdb+/GyX/OKCfZWE2pkJHX/B1g=; b=MosumGZiICSi+YqtHjqIIvt42v
ThIJfDOQR/Qw+RyfSG7TH4AWfazfN0Xz0FfMBOrvi9mNzvpfJyII79bX6gJ0qxKn0+IlCg9pqvu37
oXSocMdE+UmBVGojYC5orehkEOh5FZTQW9Pdid/2s65Ct1pWxBdK2jEiFMRbhSNnmplfYMVw8g8VL
fobj0KEP+eQ5bc681alWwxKQ9KK+DGQAZkAOIOVmUhEZ0IY2ReBSLiVGf0TO+lA2ZJCRgL1FJ92XS
mhZzDqRp5qjKO/TyMIodDIHBBj+fTX74Eb0T0aEa9YPJSj2Tcarh6q92zQoSzYADy4Inl92sSXpRj
wIK5nbtw==;
Received: from bmaproje by cp-wc87.per01.ds.network with local (Exim 4.94.2)
(envelope-from <[email protected]01.ds.network>)
id WHIPED FROM REPORT
for WHIPED FROM REPORT; WHIPED FROM REPORT
To: WHIPED FROM REPORT
Subject: [ WHIPED FROM REPORT ] WARNING The domain "WHIPED FROM REPORT" has reached their disk quota.
X-PHP-Script: test.artworkexpert.com.au/class.lib.php for 91.207.102.163, 141.101.77.234
X-PHP-Filename: /home3/bmaproje/public_html/class.lib.php REMOTE_ADDR: 141.101.77.234
MIME-Version: 1.0
Content-Type: multipart/alternative;boundary=4e1ca46924d55f68a4d2093989c69b55
From: cPanel on WHIPED FROM REPORT <cPanelonWHIPED FROM REPORT@test.artworkexpert.com.au>
Reply-To: cPanelonWHIPED FROM REPORT@test.artworkexpert.com.au
Message-Id: <E1mey77-001ikG-MM@cp-wc87.per01.ds.network>
Date: WHIPED FROM REPORT
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - cp-wc87.per01.ds.network
X-AntiAbuse: Original Domain - WHIPED FROM REPORT
X-AntiAbuse: Originator/Caller UID/GID - [3198 991] / [47 12]
X-AntiAbuse: Sender Address Domain - cp-wc87.per01.ds.network
X-Get-Message-Sender-Via: cp-wc87.per01.ds.network: authenticated_id: bmaproje/from_h
X-Authenticated-Sender: cp-wc87.per01.ds.network: cPanelonWHIPED FROM REPORT@test.artworkexpert.com.au
X-Source:
X-Source-Args:
X-Source-Dir: /
======================

 

[cPanelAnthony]

Hello! The following article explains how to handle phishing emails. Could you review and let me know if you have questions?

https://support.cpanel.net/hc/en-us/articles/4405224429591-I-received-a-suspicious-email-claiming-to-be-from-cPanel-is-it-legitimate-

 

[Secmas]

As I said:
"I have already updated my filters to block emails like this, but think that cPanel should do a kind of KEY to prevent scammers to impersonate this or any other email coming from the OS in the servers. "

That could be better than creating rules for that, just my 2 cents.

But thank you for answering back.

Regards,
Sergio

 

[cPanelAnthony]

Thank you for the confirmation. There's no way for us to stop phishing emails from servers outside our control completely. However, we do take these matters seriously and strive to ensure legitimate cPanel emails can be easily determined to be real.

 

[Serra]

I've gotten a couple of these on my own personal domain. It looked completely legit enough to fool me. However as a rule I don't click on links in emails I'm not expected, I went to the account and realized the email was incorrect. When I examined the links I found that they were not going back to my server.

Unfortunately, there is nothing that cPanel can do to block or prevent these emails, but I think we need to consider that sending emails with links in them in the first place is becoming problematic. I think cPanel should reformat their emails and remove the links to the accounts. Rather the email should say 'Please log into your account with the username: jsmithweb' for example and not provide a link so when users see a link they will know it is a scam.

Obviously, the solution here is to create a closed system where messages about cPanel accounts are sent via push messages rather than email. cPanel should consider doing that as the cost wouldn't be very high and it would allow users to get messages that are secure.

 

[cPanelAnthony]

Thank you for the feedback!

 

[Secmas]

I still think that using a HASH code created by the server and added to emails sent by cPanel on that server would be easier.
If the email misses that code or is incorrect the system could delete the email or mark it as spam.

 

[cuzzmunger]

I've just had several of these this week, and several of my customers have emailed me directly about it. Just blocked
[email protected] & [email protected]