Okey, but this is so in every host, so this is not a defect and this is not the problem but the problem is that you can make :
And it's work perfectly with every domain, THIS is what i am talking about
Thats what we made the domain limits for. I understand that you dont like them but they are the only secure way in securing the server against domain misuse and phising.
Btw, adding a website panel-secure-phishing.youhoster.com might only harm if you work with wildcard dns records which is not recommended anyway. If you dont use wildcard dns, nobody can access this site as the domain owner controls the dns record. If I add google.ocm on my ispconfig server, I will not get any traffic from google as their dns does not point to my server.
There is a feature request for adding a optional simple database match for website domains in the bugtracker for those who dont like the domain limit feature, so you might want to vote for that. But such a database match can never be really secure and customers can use it to block your system by adding e.g. a website "co.uk" which is a valid domain name and no other customer will be able to add a site with mysite.co.uk domain on your server until you removed or renamed the site. So while this check adds some pseudo security, it will case you troubles on the other side.