All emails from one affected mailbox (e.g. [email protected]) are automatically forwarded to an unknown address (e.g. [email protected]). Records like this can be seen in
dovecot service=lda, [email protected], ip=. sieve: [email protected]: redirect action: forwarded to [email protected]
- There are forwarding rules set up in Roundcube: Log in to webmail.example.com > Settings > Filters.
The account is compromized, attacker created the forwarding via webmail.
1. Immediately change the affected account's password to a stronger one:
- Log in to Plesk
- Navigate to Domains > example.com > Mail Accounts
- Select the affected mailbox and generate a new password or set one manually
2. Log in to the affected mailbox via webmail and go to Settings > Filters to remove the malicious forwarding rule.