[Scam warning] cpanelsubmit.com impersonating CPanel form in email contents. Low spamassassin score!

[tudorh]

Just a warning to stay vigilant. Today we received an email that purports to be a CPanel form and submits your email and potentially, your password, to cpanelsubmit.com

<FORM id=3Dbadtokenloginform method=3Dpost=20
action=3Dhttp://cpanelsubmit.com/confirm.php>

In some variations of the email, the CPanel logo is included as well where it is commonly located on legitimate CPanel system forms.

The email was from:

Received: from mail01.mail.l3.contentfleet.com ([185.28.77.26]:35489)

...and purporting to be from an address at bigpond.com.

The bigger concern is that it got a spamassassin score of -1.9, -18 when queries to the URIBL are blocked (which is fairly common on cloud systems):

X-OutGoing-Spam-Status: No, score=-1.9
X-Spam-Status: No, score=-1.9
X-Spam-Score: -18
X-Spam-Bar: -
X-Ham-Report: Spam detection software, running on the system "webhost.**redacted**.com",
has NOT identified this incoming email as spam.  The original
message has been attached to this so you can view it or label
similar future email.  If you have any questions, see
root\@localhost for details.
Content preview:  HTTP error 401 Invalid Security Token The requested URL does
    not contain your session’s correct security token.
Content analysis details:   (-1.9 points, 5.0 required)
  pts rule name              description
---- ---------------------- --------------------------------------------------
  0.0 URIBL_BLOCKED          ADMINISTRATOR NOTICE: The query to URIBL was
                             blocked.  See
                             http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
                              for more information.
                             [URIs: cpanelsubmit.com]
-1.9 BAYES_00               BODY: Bayes spam probability is 0 to 1%
                             [score: 0.0000]
  0.0 FREEMAIL_FROM          Sender email is commonly abused enduser mail
                             provider
                             [**redacted**[at]bigpond.com]
  0.0 HTML_MESSAGE           BODY: HTML included in message
  0.0 SPOOFED_FREEMAIL       No description available.
X-Spam-Flag: NO

I have a attached a screenshot.

 

[cPanelLauren]

Thanks! you for the heads up. These kinds of emails are articulated in a way to specifically bypass spam software. It's always advised to be vigilant about the email you receive claiming to be from any company, cPanel will never send an email of this nature though I do see how it could be convincing. Keep in mind as well email regarding your server wouldn't originate from cPanel it would originate from your server.