If a domain only points to another domain, the first domain has very little security exposure. Unfortunately, people will often forward an old domain to a new domain but still leave hosting set up on the old domain (often with weak passwords), and then get hacked. I've seen it many times.
Usually, mail servers are "hacked" by getting folks to turn over their mail credentials voluntarily (via, for example, emails that say things like "AOL alert: Your mail is over quota and will be shut down if you don't click on this link and enter your email address and password...") It is possible to do brute-force hacking of email accounts with weak passwords, and folks do do that, but phishing attacks are more common in my experience. Why try to hack when you can get someone to turn over access to their email account voluntarily?
