• Please be aware: Kaspersky Anti-Virus has been deprecated
    With the upgrade to Plesk Obsidian 18.0.64, "Kaspersky Anti-Virus for Servers" will be automatically removed from the servers it is installed on. We recommend that you migrate to Sophos Anti-Virus for Servers.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Issue spoof emails : Disk quota(space) exceeding.

A

andyxyz

Basic Pleskian
We have had a few reports from customers today


From: Plesk on CUSTOMER.DOMAIN.COM <[email protected]>
Sent: 02 July 2021 16:06
To: [email protected]
Subject: Disk quota(space) exceeding.


<CUSTOMER.DOMAIN.COM> Disk quota exceeding notification

Our system has identified a critical condition of one of the server parameters.
The account currently uses 99.98% of its disk capacity.
Please log in to Plesk and check the server status: https://CUSTOMER.DOMAIN.COM:8443

The email address IS the customers registered Plesk user email address so it does look like this has leaked from plesk.

Behind the link are various fake domains that all seem to redirect to webhostplesk.com which is hosted on 45.146.164.27. I assume this page is harvesting plesk logins from there?

Is anyone else seeing this?
 
I am. Started seeing this a few days ago, wondered WTF happened since all my servers have plenty of storage left. Was wondering if it was some kind of bug or whatever but didn't care much about it, until today.
Upon further examination (which took all of two full seconds LOL) I noticed this message was sent to a very specific email address that I use exclusively to handle domains with the brazilian domain registrar. That email address is used only there and it is publicly visible when WHOIS'ing a domain.
So I don't think it leaked from Plesk, it was just someone scraping domain data.
 
+1

Over the past few days, around a hundred emails have been received. A priori this spam campaign detects that the hosting works under Plesk and sends these emails to the low whois emails of the domains concerned. PS: it is important not to click on the links. This becomes problematic on our side, our customers give us back the information ... It passes anti-spam ...

Igor,
Have you had any significant feedback on the problem? Is there a way to block this besides the usual anti-spam tools?
 
Right now I'm truly, *really* glad that I run a managed website hosting business and my clients *don't* have access to the Plesk panel (nor do they even know I'm using it). I'm just imagining what the damage would be if my clients clicked on these links.

In any case I clicked on the link just for fun (I generally do, just to enjoy the effort of the hackers). Looks like the domain (https***test.linezapparel.com) was nixed, so I guess everyone is safe for now - until they start sending other batches with a new domain.
 
You must log in or register to reply here.

Similar threads

QWeb Ric
Issue Track email delivery -> Action log showing "Domain's disk space limit reached"
Replies
1
Views
239
QWeb Ric
QWeb Ric
P
Issue Disk usage calculation is wrong
Replies
1
Views
510
Kaspar@Plesk
Kaspar@Plesk
C
Question Analysing Sender IP in Mail Headers
Replies
0
Views
508
Change Maker
C
burnley
Forwarded to devs It is possible to create mail box without triggering 'Create Mailname' event handler
Replies
4
Views
2K
Peter Debik
P
A
Issue Backups take space from subscriptions
Replies
13
Views
2K
Kaspar
K
Back
Top