I enabled the new email forwarding beta on two separate and different domains, managed from two different Cloudflare accounts.
Between yesterday and today I got suspicious messages (on private emails, so I wonder how they can got it), in two stages:
I get messages from a gmail like:
Questo è un test, se riesco a inviare correttamente le e-mail.
(this is a test, to see if i can send emails)
Sto verificando se l’invio di e-mail nel mio account di posta funziona correttamente. Si prega di ignorare questo messaggio, mi dispiace.
(I am testing if i can send email, please ignore this message)
Then, after a short times I get emails like if someone is using my email to sending stuff
A message that you sent contained no recipient addresses, and therefore no
delivery could be attempted.
------ This is a copy of your message, including all the headers. ------
Subject: Contato do site.
X-PHP-Script: compromised.domain/site/controller/contato.php for 188.8.131.52
Content-type: text/html; charset=UTF-8
From: [email protected]
Message-Id: [email protected]
Date: Sun, 20 Feb 2022 10:52:50 -0300
This message was created automatically by mail delivery software.
A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:
Domain compromised.domain has exceeded the max emails per hour (130%) allowed. Message discarded.
So, I am worrying about this because it happened just a few days after I setup Cloudflare email forwarding and it never happened before. Just a coincidence? My email accounts are protected by 2FA and I see nothing suspicious in the access logs. The emails aren’t published on webpages, but they have been used in the past to register to forums and websites and due to hacks/leaks are present in HIBP database (of course the leaked passwords don’t match as i use a password manager with unique passwords per site)