Modern mail infrastructures face more threats than ever before. One of the most overlooked risks is unauthorized Sieve redirect rules silently forwarding emails to external addresses.
To help detect and control these threats, we developed EAK MailGuard SieveWatch.
SieveWatch is a lightweight monitoring and protection tool designed for Linux mail servers. It scans user Sieve files, detects suspicious redirect rules, and helps administrators identify potentially compromised mail accounts before they become a larger security incident.
When a mailbox is compromised, attackers often create hidden forwarding rules to silently copy incoming emails to external addresses.
This can lead to:
Sensitive information leaks
Business email compromise (BEC)
Long-term persistence inside mail accounts
Silent monitoring of internal communications
Traditional monitoring systems frequently miss these forwarding rules.
EAK MailGuard SieveWatch automatically scans Sieve configurations and helps administrators detect dangerous or unauthorized redirect rules.
Core features include:
Automated Sieve rule scanning
Redirect rule detection
Allowlist support for trusted destinations
Safe disable mode with backup creation
Daily reporting
Lightweight Python-based architecture
Production-friendly design
SieveWatch was built from real-world production experience operating Linux-based mail infrastructures.
It is especially useful for:
Hosting providers
DirectAdmin servers
HestiaCP environments
Enterprise Linux mail servers
High-volume mail infrastructures
Unlike heavy security suites, SieveWatch focuses on solving a specific but critical problem with minimal overhead.
The goal is simple:
Detect suspicious forwarding activity early and help administrators maintain control over their mail infrastructure.
SieveWatch is developed as part of the EAK MailGuard ecosystem, focused on improving mail security, deliverability, abuse prevention, and infrastructure visibility.
Copyright © 2026 All Rights Reserved
Turkey (Türkçe)
Worldwide (English)