Proving that a user deleted their own email in webmail
Question asked by CCC - November 22, 2016 at 10:09 AM
We have a customer reporting that all of their email (several hundred) vanished from their inbox this morning.  
I checked the POP and IMAP logs and did not find a bunch of delete requests, but I see in the logs where Smartermail performed a cleanup operation on the deleted items folder.
This suggests that the user deleted the mail in their inbox via webmail.
I'm trying to find a corresponding log file entry that proves or disproves that the user deleted the messages themselves.
Based on these threads, it sounds like the only webmail logging that takes place is within the web server (IIS)
Can SmarterTools provide a string I can search for within the IIS logs which will match on webmail delete operations? 

3 Replies

Reply to Thread
Paul Blank Replied
Not sure if this has anything to do with the deletions, but I have commented before that it's much too easy to check the box at the top of a mailbox, hit Delete, and then erase everything in that mailbox.
Alas, I can offer no assistance with trying to prove who or what deleted those emails.  As usual, good daily backups plus full archiving can be a "lifesaver" if implemented.
CCC Replied
I didn't see the post below previously, but looks like a similar question was asked last year but never answered.
CCC Replied
Agreed Paul. I was able to restore from backup, just would be nice if there were log files showing what happened.

Reply to Thread