1
webmail log
Question asked by Sabatino - Yesterday at 2:00 AM
Answered
I have a client who only uses webmail
He deleted all the messages and tells me he doesn't remember doing it.
I wanted to find some references, but I realized that I can't find a log of the activities done via webmail

I expected to find a login maybe on imap.

But I didn't find anything
Sabatino Traini
      Chief Information Officer
Genial s.r.l. 
Martinsicuro - Italy

8 Replies

Reply to Thread
0
Matt Petty Replied
Employee Post
Here's a cool trick, the "change_number" can actually be used to get a Date, down to the second of when the change was made.

Copy that number and then run it through this JS function (use an online compiler or your browsers console to do this)
function toUtcDate(cn) { return cn === 0 ? new Date(0) : new Date(2018, 0, 1, 0, 0, cn >> 16);}

You could go into the folders.json for the folders they modified (unless the folders themselves are gone) and you could potentially use the changenumbers to atleast track down a Date/Time of the modifications.
Matt Petty Senior Software Developer SmarterTools Inc. www.smartertools.com
1
Sabatino Replied
Thanks, but it doesn't solve my problem.
I would like to have a log of the operations done via webmail.
As it happens with the imap log where I find

[2025.06.05] 18:08:40.251 [xxx.xxx.xxx.xxx][51151625] command: A191 UID MOVE 152044 "Deleted Items"

for a message moved to the trash

and

[2025.06.05] 18:09:43.506 [xxx.xxx.xxx.xxx][51151625] command: A193 UID STORE 152041 +FLAGS.SILENT (\Deleted)
[2025.06.05] 18:09:43.508 [xxx.xxx.xxx.xxx][51151625] response: A193 OK STORE completed
[2025.06.05] 18:09:43.528 [xxx.xxx.xxx.xxx][51151625] command: A194 UID EXPUNGE 152041

for a permanently deleted message
Sabatino Traini Chief Information Officer Genial s.r.l. Martinsicuro - Italy
0
Tony Scholz Replied
Employee Post Marked As Answer
The administrative log will show when something is done via webmail. 

[2025.06.05] 10:10:21.212 [10.1.1.80] User admin@ as Aaron@domain.tld calling delete messages, folder: Inbox, owner: Aaron@domain.tld, all: , count: 0
[2025.06.05] 10:10:23.290 [10.1.1.80] User admin@ as Aaron@domain.tld calling patch message, owner: Aaron@domain.tld, count: 1, folder: Deleted Items
[2025.06.05] 10:10:26.244 [10.1.1.80] User admin@ as Aaron@domain.tld calling delete messages, folder: Deleted Items, owner: Aaron@domain.tld, all: , count: 0
Tony Scholz System/Network Administrator SmarterTools Inc. www.smartertools.com
0
Sabatino Replied
I have to tell you that I am very perplexed.
I did some tests on a test account

I deleted 3 messages first using the trash
Then I deleted 3 messages permanently (no trash)
Then I used the delete all folder content function

[2025.06.06] 09:45:15.593 [xxx.xxx.xxx.xxx] User user@domain.tld calling delete messages, folder: oldserver/INBOX, owner: user@domain.tld, all: , count: 3
[2025.06.06] 09:45:53.846 [xxx.xxx.xxx.xxx] User user@domain.tld calling delete messages, folder: oldserver/INBOX, owner: user@domain.tld, all: , count: 3
[2025.06.06] 09:46:31.697 [xxx.xxx.xxx.xxx] User user@domain.tld calling delete messages, folder: oldserver/INBOX, owner: user@domain.tld, all: , count: 0



here's what I found in the administrative log

1) There is no distinction between messages that end up in the trash and not
2) Deleting all the contents of the folder the count=0





Sabatino Traini Chief Information Officer Genial s.r.l. Martinsicuro - Italy
0
Sabatino Replied
The problem is that to date a customer who tells me that he has not deleted anything and that the problem is on the server I have no way to give him any proof.

I would like to have a log that tells me

at xx hours of day yy you deleted xxxx messages from the ip address... via (webmail, imap, etc)
Sabatino Traini Chief Information Officer Genial s.r.l. Martinsicuro - Italy
0
Douglas Foster Replied
Any possibility that his folder exists but was dragged inside another foldr by accident?
0
Sabatino Replied
No. He had actually deleted the messages.
however I have already recovered everything from the backups
In general however I would like to have a way to demonstrate to the customer with the logs when and from which IPs he had deleted the messages
Sabatino Traini Chief Information Officer Genial s.r.l. Martinsicuro - Italy
0
Douglas Foster Replied
Agreed

Reply to Thread

Enter the verification text