Symptoms
- All mail from a Plesk email address is forwarded to an unknown email address, with these records logged to
/var/log/maillog:
dovecot service=lda, user=john.doe@example.com, ip=[]. sieve:
msgid=618dad9e22271@example.com: redirect action: forwarded to
unknown@example.com - There are unknown forwarding rules in Roundcube (webmail.example.com > Settings > Filters)
CauseThe account has been compromised; the attacker created the forwarding rules in webmail.
ResolutionSecure the account and remove the forwarding rules.
- Set a stronger password for the affected account
- Log in to the affected mailbox in webmail
- Go to Settings> Filters and remove the malicious forwarding rule(s).
To help prevent such issue, harden the Plesk server: How to secure a Plesk server