Proving that a user deleted their own email in webmail

We have a customer reporting that all of their email (several hundred) vanished from their inbox this morning.

I checked the POP and IMAP logs and did not find a bunch of delete requests, but I see in the logs where Smartermail performed a cleanup operation on the deleted items folder.

This suggests that the user deleted the mail in their inbox via webmail.

I'm trying to find a corresponding log file entry that proves or disproves that the user deleted the messages themselves.

Based on these threads, it sounds like the only webmail logging that takes place is within the web server (IIS)

https://portal.smartertools.com/community/a337/which-log-records-webmail-access-.aspx
https://portal.smartertools.com/community/a87558/log-mail-portion-of-webmail-activity.aspx

Can SmarterTools provide a string I can search for within the IIS logs which will match on webmail delete operations?

Paul Blank Replied

11/22/2016 at 11:33 AM

Not sure if this has anything to do with the deletions, but I have commented before that it's much too easy to check the box at the top of a mailbox, hit Delete, and then erase everything in that mailbox.

Alas, I can offer no assistance with trying to prove who or what deleted those emails. As usual, good daily backups plus full archiving can be a "lifesaver" if implemented.

CCC Replied

11/23/2016 at 7:17 AM

I didn't see the post below previously, but looks like a similar question was asked last year but never answered.

http://portal.smartertools.com/community/a86568/deleting-messages-using-webmail-any-record-of-activity-in-any-log.aspx

CCC Replied

11/23/2016 at 8:10 AM

Agreed Paul. I was able to restore from backup, just would be nice if there were log files showing what happened.

3 Replies

Reply to Thread

Related Knowledge Base Articles

3 Replies

Reply to Thread

Tags

Related Knowledge Base Articles