Webmail used to setup forwarder or e-mail filter to unknown e-mail address


Active Member
Apr 17, 2011
is there a way to know when someone creates e-mail forwarder or an e-mail filter? Some kind of notification so that we can check is everything ok?

I am asking this because lately there are a lot of false "your email will be closed... click here" emails, and I guess some of our users fall for this false emails and enter their email password.

Then the malicious person uses webmail to setup forwarder or mail filter to their email address. Basically no one knows that this happened. It is not a good feeling that you find out that all your emails were being forwarded to who knows who. The only thing that helps us is when the malicious spammer/hacker email is full and then someone who send you an email receives "mail delivery failure...".

Any advice what to do. We have already informed our users not to fall for those false "login" emails, but that didn't solve the problem. I guess there are other ways they "loose" their passwords.


Product Owner II
Staff member
Nov 14, 2017
There's not a feature that will notify the admin of changes to this and @keat63 your suggestion for a feature request is exactly what I'd say for this.

Meanwhile, though there's no built-in functionality for this you could set up an audit rule and have it emailed every so often.

If you're not familiar with auditd, we have a tutorial on it here: Tutorial - Auditd - The Linux Auditing System
  • Like
Reactions: zodiac9797