How to Find Hidden Email Forwarding and Filter Rules

    Email forwarding and filter rules are handy features that help manage your inbox. But did you know they can also be used by an attacker to spy on your emails, even after you've changed your password? This guide will show you how to find and remove any hidden forwarding or filter rules that an attacker might have set up.

    If you've recently had an email account hacked, it's crucial to check for these hidden rules immediately after changing your password. This closes a sneaky backdoor an attacker might use to maintain access.

    What are email forwarding and filter rules?

    Email forwarding automatically sends a copy of your incoming emails to another email address. This is often used to consolidate multiple email accounts into one.

    Filter rules, sometimes called "inbox rules," automatically perform actions on incoming emails, such as moving them to a specific folder, marking them as read, or even deleting them. Attackers can create rules to auto-forward your emails to their own address, or to hide their activities by moving your password reset emails to an obscure folder.

    Why attackers love these rules

    Imagine you've been hacked, and you've done the right thing by changing your password. Great! But if an attacker has set up a forwarding rule, they'll *still* receive copies of your emails, including sensitive information or even new password reset links. They'll continue to spy on you without you even knowing.

    Similarly, filter rules can be used to hide evidence of their activity. They might set up a rule to automatically move any security alerts from your email provider into your spam or trash folder, or to a newly created, obscure folder that you'd likely never check. This way, you remain unaware of ongoing compromises.

    Checking common email services for forwarding rules

    The way to check for forwarding rules varies slightly depending on your email provider. We'll cover the most popular ones, but the general principle is similar across all services: look for "Settings" or "Options," then find a section related to "Forwarding" or "Mail Flow."

    • For Gmail: Click the gear icon > 'See all settings' > 'Forwarding and POP/IMAP'. Look for any enabled forwarding addresses you didn't set up.
    • For Outlook (web version): Click the gear icon > 'View all Outlook settings' > 'Mail' > 'Forwarding'. Ensure "Enable forwarding" is unticked unless you specifically set it up.
    • For Yahoo Mail: Hover over the gear icon > 'More Settings' > 'Mailboxes' > select your email address > 'Forwarding'. Check if an unfamiliar address is listed.

    Checking common email services for filter rules

    Filter rules are usually found in a similar part of the settings as forwarding options. These rules can be a bit more complex, so carefully review any rules that seem unusual or that you don't remember creating. Pay close attention to rules that automatically delete, move, or mark emails as read.

    • For Gmail: Click the gear icon > 'See all settings' > 'Filters and Blocked Addresses'. Look for any rules that send mail to trash, skip the inbox, or forward to unfamiliar addresses.
    • For Outlook (web version): Click the gear icon > 'View all Outlook settings' > 'Mail' > 'Rules'. Carefully examine each rule for suspicious actions or conditions.
    • For Yahoo Mail: Hover over the gear icon > 'More Settings' > 'Filters'. Check for any unusual filters that might be hiding emails.

    What to do if you find something suspicious

    If you discover any forwarding or filter rules that you didn't create, it's a strong indication that your account has been compromised. Don't panic, but act swiftly.

    • Immediately delete any suspicious forwarding addresses or filter rules.
    • Change your email account password to a strong, unique one you haven't used before.
    • Enable two-factor authentication (2FA) if you haven't already. This adds an extra layer of security.
    • Review your recent activity or login history (most email providers offer this) to identify any unfamiliar access.
    • Check your other online accounts (e.g., banking, social media) that use this email address for password resets, and change those passwords too if necessary.

    Key takeaway

    Regularly checking your email forwarding and filter rules is a simple yet powerful way to protect your privacy and security. By knowing what to look for and how to remove suspicious settings, you can prevent attackers from maintaining hidden access to your inbox. Make it a habit to review these settings periodically, especially after any security incidents.

    More from Monitoring & Surveillance

    No image

    How to Protect Yourself While You Work Out What's Happening

    Reduce the chance of monitoring being re-established once you're safe.
    No image

    How to Quietly Investigate Suspected Partner Monitoring

    Removing stalkerware can escalate abuse. Plan the cleanup with a professional, then act.
    No image

    How to Tell If Partner Monitoring Is Real When You're Not Sure

    Your physical safety comes first. Don't touch the monitored device until you have help in place.