Are bots taking advantage of something in the Email Forwarding or it's just a coincidence?

I enabled the new email forwarding beta on two separate and different domains, managed from two different Cloudflare accounts.

Between yesterday and today I got suspicious messages (on private emails, so I wonder how they can got it), in two stages:

First stage:

I get messages from a gmail like:

Questo è un test, se riesco a inviare correttamente le e-mail.

(this is a test, to see if i can send emails)


Sto verificando se l’invio di e-mail nel mio account di posta funziona correttamente. Si prega di ignorare questo messaggio, mi dispiace.

(I am testing if i can send email, please ignore this message)

Second step:

Then, after a short times I get emails like if someone is using my email to sending stuff

A message that you sent contained no recipient addresses, and therefore no
delivery could be attempted.

------ This is a copy of your message, including all the headers. ------

Subject: Contato do site.
X-PHP-Script: compromised.domain/site/controller/contato.php for
X-PHP-Originating-Script: 1161:contato.php
MIME-Version: 1.1
Content-type: text/html; charset=UTF-8
From: [email protected]
Message-Id: [email protected]
Date: Sun, 20 Feb 2022 10:52:50 -0300


This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:

[email protected]
Domain compromised.domain has exceeded the max emails per hour (130%) allowed. Message discarded.

---------- Forwarded message ----------
From: [email protected]
To: [email protected]
Date: Sun, 20 Feb 2022 10:52:53 -0300
Subject: Contato do site.

So, I am worrying about this because it happened just a few days after I setup Cloudflare email forwarding and it never happened before. Just a coincidence? My email accounts are protected by 2FA and I see nothing suspicious in the access logs. The emails aren’t published on webpages, but they have been used in the past to register to forums and websites and due to hacks/leaks are present in HIBP database (of course the leaked passwords don’t match as i use a password manager with unique passwords per site)

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.