cPanel Phishing Scam

[xynames]

Emails looks legit, and appears to come from accounts at cpanel.net (whatever that is, but it sounds legit)

but it's not! my SpamCop shows that it is coming from Brazil....

URL links in the email will take you to a phishing scam!

 

[Daniel15]

Interesting that it got past a spam filter, given cpanel.net has SPF records. Do the full headers show any SPF failures?

 

[xynames]

It is a forged email, just because an email has a reply to email address of whatever doesn't mean it actually came from there. According to my SpamCop it actually came from a virtua dot com dot br address.

 

[Daniel15]

just because an email has a reply to email address of whatever doesn't mean it actually came from there

Sure, but all spam filters should discard the email because the senders IP should not match the SPF record for the cpanel.net domain. cPanel have "-all" at the end of their SPF record, so any emails 'from' @cpanel.net addresses that aren't from their servers should be rejected.

 

[xynames]

Just received another version

and yes there is some SPF failure in the headers and it was detected as SPAM but still got through

-Spam-Report: Spam detection software, running on the system "******.com",
has identified this incoming email as possible spam. The original
message has been attached to this so you can view it or label
similar future email. If you have any questions, see
root\@localhost for details.

---

4.0 SPF_FAIL SPF: sender does not match SPF record (fail)
[SPF failed: Please see http://www.openspf.org/Why?s=mfrom;[email protected];ip=177.XX.XXX.XX;r=*******.com]
4.0 SPF_HELO_FAIL SPF: HELO does not match SPF record (fail)
[SPF failed: Please see http://www.openspf.org/Why?s=helo;id=cpanel.net;ip=177.XX.XXX.XX;r=*******.com]
0.0 HTML_MESSAGE BODY: HTML included in message

---

Same source according to my Spam Cop

 

[xynames]

I receive forged emails all the time, I have Spam Assassin turned on but doesn't seem to help.

Maybe there is some additional setting that I am missing?