Plesk for Linux
kb: technical
Applicable to:
- Plesk for Linux
Symptoms
-
All emails from one affected mailbox (e.g. contact@example.com) are automatically forwarded to an unknown address (e.g. jdoe@example.net). Records like this can be seen in
/var/log/maillog
:CONFIG_TEXT: dovecot service=lda, user=contact@example.com, ip=[]. sieve: msgid=618dad9e22271@example.com: redirect action: forwarded to jdoe@example.net
- There are forwarding rules set up in Roundcube: Log in to webmail.example.com > Settings > Filters.
Cause
The account is compromized, attacker created the forwarding via webmail.
Resolution
1. Immediately change the affected account's password to a stronger one:
- Log in to Plesk
- Navigate to Domains > example.com > Mail Accounts
- Select the affected mailbox and generate a new password or set one manually
2. Log in to the affected mailbox via webmail and go to Settings > Filters to remove the malicious forwarding rule.
Comments
0 comments
Please sign in to leave a comment.