Symptoms
-
All mail from a Plesk email address is forwarded to an unknown email address, with these records logged to
/var/log/maillog
:dovecot service=lda, [email protected], ip=[]. sieve: [email protected]: redirect action: forwarded to [email protected]
-
There are unknown forwarding rules in Roundcube (webmail.example.com > Settings > Filters)
Cause
The account has been compromised; the attacker created the forwarding rules in webmail.
Resolution
Secure the account and remove the forwarding rules.
- Set a stronger password for the affected account
- Log in to the affected mailbox in webmail
- Go to Settings > Filters and remove the malicious forwarding rule(s).
To help prevent such issue, harden the Plesk server: How to secure a Plesk server