• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:

    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Issue spoof emails : Disk quota(space) exceeding.

andyxyz

Basic Pleskian
We have had a few reports from customers today


From: Plesk on CUSTOMER.DOMAIN.COM <[email protected]>
Sent: 02 July 2021 16:06
To: [email protected]
Subject: Disk quota(space) exceeding.


<CUSTOMER.DOMAIN.COM> Disk quota exceeding notification

Our system has identified a critical condition of one of the server parameters.
The account currently uses 99.98% of its disk capacity.
Please log in to Plesk and check the server status: https://CUSTOMER.DOMAIN.COM:8443

The email address IS the customers registered Plesk user email address so it does look like this has leaked from plesk.


Behind the link are various fake domains that all seem to redirect to webhostplesk.com which is hosted on 45.146.164.27. I assume this page is harvesting plesk logins from there?

Is anyone else seeing this?
 
I am. Started seeing this a few days ago, wondered WTF happened since all my servers have plenty of storage left. Was wondering if it was some kind of bug or whatever but didn't care much about it, until today.
Upon further examination (which took all of two full seconds LOL) I noticed this message was sent to a very specific email address that I use exclusively to handle domains with the brazilian domain registrar. That email address is used only there and it is publicly visible when WHOIS'ing a domain.
So I don't think it leaked from Plesk, it was just someone scraping domain data.
 
+1

Over the past few days, around a hundred emails have been received. A priori this spam campaign detects that the hosting works under Plesk and sends these emails to the low whois emails of the domains concerned. PS: it is important not to click on the links. This becomes problematic on our side, our customers give us back the information ... It passes anti-spam ...

Igor,
Have you had any significant feedback on the problem? Is there a way to block this besides the usual anti-spam tools?
 
Right now I'm truly, *really* glad that I run a managed website hosting business and my clients *don't* have access to the Plesk panel (nor do they even know I'm using it). I'm just imagining what the damage would be if my clients clicked on these links.

In any case I clicked on the link just for fun (I generally do, just to enjoy the effort of the hackers). Looks like the domain (https***test.linezapparel.com) was nixed, so I guess everyone is safe for now - until they start sending other batches with a new domain.
 
Back
Top