I just want to let you know that it looks like someone from Nigeria logged in using webmail (this is also interesting because almost always hijacked accounts are being used for SMTP spamming but not this time) to client account, done something with his emails (I don't know if messages where browsed or not) and then removed all messages from Inbox (year 2013 until yesterday - about 3.3k messages). I have a backup so there is no problem to restore it but IMHO webmail logging MUST be more detailed.
Currently it looks like this:
[2015.06.30] 23:45:57 PM [IPFROMNIGERIA][mksbk3] Attempting to login : CLIENTEMAILADDRESS
[2015.06.30] 23:45:57 PM [IPFROMNIGERIA][mksbk3][Domain : MAILDOMAIN] Login was successful : [CLIENTEMAILADDRESS (User)]
[2015.06.30] 23:55:17 PM [IPFROMNIGERIA][mksbk3][Domain : MAILDOMAIN] Logged Out : [CLIENTEMAILADDRESS (User)]
and thats all. I have no idea what was done in this 10 minutes between logging in and logging out.