4
webmail log
Question asked by Sabatino - 6/5/2025 at 2:00 AM
Answered
I have a client who only uses webmail
He deleted all the messages and tells me he doesn't remember doing it.
I wanted to find some references, but I realized that I can't find a log of the activities done via webmail

I expected to find a login maybe on imap.

But I didn't find anything
Sabatino Traini
      Chief Information Officer
Genial s.r.l. 
Martinsicuro - Italy

13 Replies

Reply to Thread
0
Matt Petty Replied
Employee Post
Here's a cool trick, the "change_number" can actually be used to get a Date, down to the second of when the change was made.

Copy that number and then run it through this JS function (use an online compiler or your browsers console to do this)
function toUtcDate(cn) { return cn === 0 ? new Date(0) : new Date(2018, 0, 1, 0, 0, cn >> 16);}

You could go into the folders.json for the folders they modified (unless the folders themselves are gone) and you could potentially use the changenumbers to atleast track down a Date/Time of the modifications.
Matt Petty Senior Software Developer SmarterTools Inc. www.smartertools.com
1
Sabatino Replied
Thanks, but it doesn't solve my problem.
I would like to have a log of the operations done via webmail.
As it happens with the imap log where I find

[2025.06.05] 18:08:40.251 [xxx.xxx.xxx.xxx][51151625] command: A191 UID MOVE 152044 "Deleted Items"

for a message moved to the trash

and

[2025.06.05] 18:09:43.506 [xxx.xxx.xxx.xxx][51151625] command: A193 UID STORE 152041 +FLAGS.SILENT (\Deleted)
[2025.06.05] 18:09:43.508 [xxx.xxx.xxx.xxx][51151625] response: A193 OK STORE completed
[2025.06.05] 18:09:43.528 [xxx.xxx.xxx.xxx][51151625] command: A194 UID EXPUNGE 152041

for a permanently deleted message
Sabatino Traini Chief Information Officer Genial s.r.l. Martinsicuro - Italy
0
Tony Scholz Replied
Employee Post Marked As Answer
The administrative log will show when something is done via webmail. 

[2025.06.05] 10:10:21.212 [10.1.1.80] User admin@ as Aaron@domain.tld calling delete messages, folder: Inbox, owner: Aaron@domain.tld, all: , count: 0
[2025.06.05] 10:10:23.290 [10.1.1.80] User admin@ as Aaron@domain.tld calling patch message, owner: Aaron@domain.tld, count: 1, folder: Deleted Items
[2025.06.05] 10:10:26.244 [10.1.1.80] User admin@ as Aaron@domain.tld calling delete messages, folder: Deleted Items, owner: Aaron@domain.tld, all: , count: 0
Tony Scholz System/Network Administrator SmarterTools Inc. www.smartertools.com
1
Sabatino Replied
I have to tell you that I am very perplexed.
I did some tests on a test account

I deleted 3 messages first using the trash
Then I deleted 3 messages permanently (no trash)
Then I used the delete all folder content function

[2025.06.06] 09:45:15.593 [xxx.xxx.xxx.xxx] User user@domain.tld calling delete messages, folder: oldserver/INBOX, owner: user@domain.tld, all: , count: 3
[2025.06.06] 09:45:53.846 [xxx.xxx.xxx.xxx] User user@domain.tld calling delete messages, folder: oldserver/INBOX, owner: user@domain.tld, all: , count: 3
[2025.06.06] 09:46:31.697 [xxx.xxx.xxx.xxx] User user@domain.tld calling delete messages, folder: oldserver/INBOX, owner: user@domain.tld, all: , count: 0



here's what I found in the administrative log

1) There is no distinction between messages that end up in the trash and not
2) Deleting all the contents of the folder the count=0





Sabatino Traini Chief Information Officer Genial s.r.l. Martinsicuro - Italy
0
Sabatino Replied
The problem is that to date a customer who tells me that he has not deleted anything and that the problem is on the server I have no way to give him any proof.

I would like to have a log that tells me

at xx hours of day yy you deleted xxxx messages from the ip address... via (webmail, imap, etc)
Sabatino Traini Chief Information Officer Genial s.r.l. Martinsicuro - Italy
0
Douglas Foster Replied
Any possibility that his folder exists but was dragged inside another foldr by accident?
0
Sabatino Replied
No. He had actually deleted the messages.
however I have already recovered everything from the backups
In general however I would like to have a way to demonstrate to the customer with the logs when and from which IPs he had deleted the messages
Sabatino Traini Chief Information Officer Genial s.r.l. Martinsicuro - Italy
1
Douglas Foster Replied
Agreed
4
This were reported countless times in the past.

I even suggested how the logs have to work (copied from Kerio, that has the best logging system for client operations I ever seen ), but nothing happens...
Gabriele Maoret - Head of SysAdmins and CISO at SERSIS Currently manages 6 SmarterMail installations (1 in the cloud for SERSIS which provides services to a few hundred third-party email domains + 5 on-premise for customers who prefer to have their mail server in-house)
0
J. LaDow Replied
We had a user's mailbox get compromised via webmail, and in our Administrative log we could basically see everything that user did with messages -- including sending the BEC emails, then deleting them, then deleting them from the deleted items folder.  Granted, it's not the most complete - but it does show quite a bit.

Our administrative log is set to detailed --

[day-1]
12:26:51.437 [169.150.224.147] Webmail Attempting to login user: frank@targeted-domain.com
12:26:51.437 [169.150.224.147] Webmail Login successful: With user frank@targeted-domain.com
13:59:38.263 [102.129.153.89] User frank@targeted-domain.com calling send message, subject: FWD: Revised Wiring instructions
14:00:24.084 [102.129.153.89] User frank@targeted-domain.com calling delete messages, folder: sent items, owner: frank@targeted-domain.com, all: , count: 1
14:00:31.463 [102.129.153.89] User frank@targeted-domain.com calling delete messages, folder: sent items, owner: frank@targeted-domain.com, all: , count: 1
14:02:10.855 [102.129.153.89] User frank@targeted-domain.com calling move messages, owner: frank@targeted-domain.com, folder: deleted items, newOwner: frank@targeted-domain.com, new folder: sent items, count: 1
14:02:28.943 [102.129.153.89] User frank@targeted-domain.com calling delete messages, folder: deleted items, owner: frank@targeted-domain.com, all: , count: 1
14:17:36.329 [102.129.153.89] User frank@targeted-domain.com calling delete messages, folder: archive, owner: frank@targeted-domain.com, all: , count: 1
14:17:58.263 [102.129.153.89] User frank@targeted-domain.com calling delete messages, folder: deleted items, owner: frank@targeted-domain.com, all: , count: 1
14:19:07.234 [102.129.153.89] User frank@targeted-domain.com calling delete messages, folder: archive, owner: frank@targeted-domain.com, all: , count: 1
14:19:48.614 [102.129.153.89] User frank@targeted-domain.com calling delete messages, folder: archive, owner: frank@targeted-domain.com, all: , count: 1
14:22:53.258 [102.129.153.89] User frank@targeted-domain.com calling delete messages, folder: deleted items, owner: frank@targeted-domain.com, all: , count: 2
14:36:04.842 [102.129.153.89] User frank@targeted-domain.com calling patch message, owner: frank@targeted-domain.com, count: 1, folder: Junk E-Mail



[day-2]
14:35:54.083 [102.129.153.168] User frank@targeted-domain.com calling patch message, owner: frank@targeted-domain.com, count: 1, folder: junk e-mail
14:39:39.158 [102.129.153.168] User frank@targeted-domain.com calling patch message, owner: frank@targeted-domain.com, count: 1, folder: inbox
14:39:56.136 [102.129.153.168] User frank@targeted-domain.com calling patch message, owner: frank@targeted-domain.com, count: 1, folder: inbox
15:25:40.372 [102.129.153.168] User frank@targeted-domain.com calling patch message, owner: frank@targeted-domain.com, count: 1, folder: inbox
15:25:42.123 [102.129.153.168] User frank@targeted-domain.com calling patch message, owner: frank@targeted-domain.com, count: 1, folder: inbox
15:26:26.442 [102.129.153.168] User frank@targeted-domain.com calling patch message, owner: frank@targeted-domain.com, count: 1, folder: sent items
15:30:28.531 [102.129.153.168] User frank@targeted-domain.com calling send message, subject: RE: Fwd: Wiring instructions and vehicle info
15:44:08.680 [102.129.153.168] User frank@targeted-domain.com calling move messages, owner: frank@targeted-domain.com, folder: sent items, newOwner: frank@targeted-domain.com, new folder: archive\inbox (2015), count: 1
15:58:18.596 [102.129.153.168] User frank@targeted-domain.com calling delete messages, folder: archive\inbox (2015), owner: frank@targeted-domain.com, all: , count: 1
15:59:11.013 [102.129.153.168] User frank@targeted-domain.com calling delete messages, folder: deleted items, owner: frank@targeted-domain.com, all: , count: 1
17:43:43.141 [102.129.153.168] User frank@targeted-domain.com calling move messages, owner: frank@targeted-domain.com, folder: archive, newOwner: frank@targeted-domain.com, new folder: archive\inbox (2020), count: 1
19:11:02.883 [102.129.153.168] Webmail Attempting to login user: Carmen@targeted-domain.com
19:11:02.883 [102.129.153.168] Webmail Login successful: With user carmen@targeted-domain.com
20:00:50.103 [102.129.153.168] User carmen@targeted-domain.com calling patch message, owner: carmen@targeted-domain.com, count: 1, folder: inbox
20:01:00.483 [102.129.153.168] User carmen@targeted-domain.com calling patch message, owner: carmen@targeted-domain.com, count: 1, folder: inbox
22:34:11.118 [198.134.109.100] Webmail Login failed: Invalid username (wade. shows@targeted-domain.com) and password combination.


[day-3]
03:30:32.961 [50.78.214.57] Webmail Attempting to login user: wade.shows@targeted-domain.com
03:30:32.961 [50.78.214.57] Webmail Login successful: With user wade.shows@targeted-domain.com
03:36:21.735 [50.78.214.57] User wade.shows@targeted-domain.com logging out
03:37:10.883 [50.78.214.57] Webmail Attempting to login user: mike@targeted-domain.com
03:37:10.883 [50.78.214.57] Webmail Login successful: With user mike@targeted-domain.com
03:37:45.558 [50.78.214.57] User mike@targeted-domain.com calling set mail settings
03:39:52.212 [50.78.214.57] User mike@targeted-domain.com calling patch message, owner: mike@targeted-domain.com, count: 1, folder: drafts
03:40:18.615 [50.78.214.57] User mike@targeted-domain.com calling patch message, owner: mike@targeted-domain.com, count: 1, folder: inbox
03:40:24.149 [50.78.214.57] User mike@targeted-domain.com logging out
03:42:42.983 [50.78.214.57] Webmail Attempting to login user: marina@targeted-domain.com
03:42:42.983 [50.78.214.57] Webmail Login failed: Incorrect password for user [marina@targeted-domain.com]
03:42:42.983 [50.78.214.57] Webmail Login failed: Invalid username (marina@targeted-domain.com) and password combination.
04:02:12.137 [50.78.214.57] Webmail Attempting to login user: marina@targeted-domain.com
04:02:12.137 [50.78.214.57] Webmail Login failed: Incorrect password for user [marina@targeted-domain.com]
04:02:12.137 [50.78.214.57] Webmail Login failed: Invalid username (marina@targeted-domain.com) and password combination.
04:02:16.951 [50.78.214.57] Webmail Attempting to login user: marina@targeted-domain.com
04:02:16.951 [50.78.214.57] Webmail Login failed: Incorrect password for user [marina@targeted-domain.com]
04:02:16.951 [50.78.214.57] Webmail Login failed: Invalid username (marina@targeted-domain.com) and password combination.
04:02:34.209 [50.78.214.57] Webmail Attempting to login user: melissa@targeted-domain.com
04:02:34.209 [50.78.214.57] Webmail Login failed: Incorrect password for user [melissa@targeted-domain.com]
04:02:34.209 [50.78.214.57] Webmail Login failed: Invalid username (melissa@targeted-domain.com) and password combination.
04:02:53.609 [50.78.214.57] Webmail Attempting to login user: michelle@targeted-domain.com
04:02:53.609 [50.78.214.57] Webmail Login successful: With user michelle@targeted-domain.com
04:03:12.823 [50.78.214.57] User michelle@targeted-domain.com calling patch message, owner: michelle@targeted-domain.com, count: 1, folder: inbox
04:04:11.982 [50.78.214.57] User michelle@targeted-domain.com logging out
04:04:41.609 [50.78.214.57] Webmail Attempting to login user: todd@targeted-domain.com
04:04:41.609 [50.78.214.57] Webmail Login successful: With user todd@targeted-domain.com
04:55:53.201 [185.197.192.19] User todd@targeted-domain.com calling patch message, owner: todd@targeted-domain.com, count: 1, folder: drafts
05:14:17.788 [185.197.192.19] User todd@targeted-domain.com calling patch message, owner: todd@targeted-domain.com, count: 1, folder: inbox
05:25:07.275 [185.197.192.19] User todd@targeted-domain.com calling patch message, owner: todd@targeted-domain.com, count: 1, folder: inbox
05:25:27.284 [185.197.192.19] User todd@targeted-domain.com calling patch message, owner: todd@targeted-domain.com, count: 1, folder: inbox
05:26:50.200 [185.197.192.19] User todd@targeted-domain.com calling patch message, owner: todd@targeted-domain.com, count: 1, folder: inbox
05:27:22.778 [185.197.192.19] User todd@targeted-domain.com calling patch message, owner: todd@targeted-domain.com, count: 1, folder: inbox
05:39:01.331 [185.197.192.19] User todd@targeted-domain.com calling patch message, owner: todd@targeted-domain.com, count: 1, folder: inbox
05:39:19.966 [185.197.192.19] User todd@targeted-domain.com calling patch message, owner: todd@targeted-domain.com, count: 1, folder: inbox
05:45:09.907 [185.197.192.19] User todd@targeted-domain.com calling patch message, owner: todd@targeted-domain.com, count: 1, folder: inbox
05:45:54.165 [185.197.192.19] User todd@targeted-domain.com calling patch message, owner: todd@targeted-domain.com, count: 1, folder: inbox
05:45:57.573 [185.197.192.19] User todd@targeted-domain.com calling patch message, owner: todd@targeted-domain.com, count: 1, folder: inbox
05:46:04.467 [185.197.192.19] User todd@targeted-domain.com calling patch message, owner: todd@targeted-domain.com, count: 1, folder: inbox
05:56:06.122 [185.197.192.19] User todd@targeted-domain.com calling patch message, owner: todd@targeted-domain.com, count: 1, folder: drafts
05:56:48.047 [185.197.192.19] User todd@targeted-domain.com calling patch message, owner: todd@targeted-domain.com, count: 1, folder: junk e-mail
05:56:50.627 [185.197.192.19] User todd@targeted-domain.com logging out
05:57:27.854 [185.197.192.19] Webmail Attempting to login user: melissa@targeted-domain.com
05:57:27.854 [185.197.192.19] Webmail Login failed: Incorrect password for user [melissa@targeted-domain.com]
05:57:27.854 [185.197.192.19] Webmail Login failed: Invalid username (melissa@targeted-domain.com) and password combination.
06:07:23.786 [185.197.192.19] Webmail Attempting to login user: todd@targeted-domain.com
06:07:23.786 [185.197.192.19] Webmail Login successful: With user todd@targeted-domain.com
06:10:50.556 [185.197.192.19] Webmail Attempting to login user: todd@targeted-domain.com
06:10:50.556 [185.197.192.19] Webmail Login successful: With user todd@targeted-domain.com
06:15:29.338 [185.197.192.19] User todd@targeted-domain.com calling move messages, owner: todd@targeted-domain.com, folder: inbox, newOwner: todd@targeted-domain.com, new folder: archive\inbox - 2019, count: 1
06:18:50.798 [185.197.192.19] Webmail Attempting to login user: todd@targeted-domain.com
06:18:50.798 [185.197.192.19] Webmail Login successful: With user todd@targeted-domain.com
06:32:33.983 [86.38.32.254] User todd@targeted-domain.com calling patch message, owner: todd@targeted-domain.com, count: 1, folder: inbox
06:32:53.633 [86.38.32.254] User todd@targeted-domain.com calling patch message, owner: todd@targeted-domain.com, count: 1, folder: inbox
06:33:05.607 [86.38.32.254] User todd@targeted-domain.com calling patch message, owner: todd@targeted-domain.com, count: 1, folder: inbox
06:33:07.295 [86.38.32.254] User todd@targeted-domain.com calling patch message, owner: todd@targeted-domain.com, count: 1, folder: inbox
06:33:15.753 [86.38.32.254] User todd@targeted-domain.com calling move messages, owner: todd@targeted-domain.com, folder: inbox, newOwner: todd@targeted-domain.com, new folder: archive\inbox - 2019, count: 1
06:36:34.126 [86.38.32.254] User todd@targeted-domain.com calling delete messages, folder: archive\inbox - 2019, owner: todd@targeted-domain.com, all: , count: 2
06:36:47.758 [86.38.32.254] User todd@targeted-domain.com calling delete messages, folder: deleted items, owner: todd@targeted-domain.com, all: , count: 2
07:00:13.346 [86.38.32.254] User frank@targeted-domain.com calling delete messages, folder: archive\inbox (2020), owner: frank@targeted-domain.com, all: , count: 1
07:00:33.215 [86.38.32.254] User frank@targeted-domain.com calling delete messages, folder: deleted items, owner: frank@targeted-domain.com, all: , count: 1
07:05:07.201 [86.38.32.254] User frank@targeted-domain.com calling delete messages, folder: archive, owner: frank@targeted-domain.com, all: , count: 1
07:05:19.535 [86.38.32.254] User frank@targeted-domain.com calling delete messages, folder: deleted items, owner: frank@targeted-domain.com, all: , count: 1
07:17:07.328 [86.38.32.254] Webmail Attempting to login user: alex@targeted-domain.com
07:17:07.328 [86.38.32.254] Webmail Login successful: With user alex@targeted-domain.com
07:18:07.280 [86.38.32.254] Autodiscover NtlmAuthenticate Login failed: Authenticate parse failed for <frank@targeted-domain.com>.
07:20:49.493 [86.38.32.254] User alex@targeted-domain.com logging out
07:27:01.525 [86.38.32.254] User frank@targeted-domain.com calling patch message, owner: frank@targeted-domain.com, count: 1, folder: inbox
07:27:35.995 [86.38.32.254] User frank@targeted-domain.com calling patch message, owner: frank@targeted-domain.com, count: 1, folder: inbox
07:28:13.825 [86.38.32.254] Webmail Attempting to login user: gary@targeted-domain.com
07:28:13.825 [86.38.32.254] Webmail Login successful: With user gary@targeted-domain.com
07:28:48.075 [86.38.32.254] User gary@targeted-domain.com logging out
07:29:06.897 [86.38.32.254] Webmail Attempting to login user: gene@targeted-domain.com
07:29:06.897 [86.38.32.254] Webmail Login failed: Incorrect password for user [gene@targeted-domain.com]
07:29:06.897 [86.38.32.254] Webmail Login failed: Invalid username (gene@targeted-domain.com) and password combination.
07:29:11.120 [86.38.32.254] Webmail Attempting to login user: gene@targeted-domain.com
07:29:11.120 [86.38.32.254] Webmail Login failed: Incorrect password for user [gene@targeted-domain.com]
07:29:11.120 [86.38.32.254] Webmail Login failed: Invalid username (gene@targeted-domain.com) and password combination.
07:29:37.993 [86.38.32.254] Webmail Attempting to login user: gene@targeted-domain.com
07:29:37.993 [86.38.32.254] Webmail Login successful: With user gene@targeted-domain.com
07:29:45.685 [86.38.32.254] User gene@targeted-domain.com calling set mail settings
07:29:46.325 [86.38.32.254] User gene@targeted-domain.com calling set mail settings
07:33:41.268 [86.38.32.254] User gene@targeted-domain.com logging out
07:34:38.241 [86.38.32.254] Webmail Attempting to login user: jay@targeted-domain.com
07:34:38.241 [86.38.32.254] Webmail Login successful: With user jay@targeted-domain.com
07:34:44.682 [86.38.32.254] User jay@targeted-domain.com calling set mail settings
07:35:06.067 [86.38.32.254] User jay@targeted-domain.com calling patch message, owner: jay@targeted-domain.com, count: 1, folder: inbox
07:35:20.246 [86.38.32.254] User jay@targeted-domain.com calling patch message, owner: jay@targeted-domain.com, count: 1, folder: inbox
07:35:22.873 [86.38.32.254] User jay@targeted-domain.com calling patch message, owner: jay@targeted-domain.com, count: 1, folder: inbox
07:35:26.062 [86.38.32.254] User jay@targeted-domain.com calling patch message, owner: jay@targeted-domain.com, count: 1, folder: inbox
07:35:35.755 [86.38.32.254] User jay@targeted-domain.com calling patch message, owner: jay@targeted-domain.com, count: 1, folder: inbox
07:35:36.396 [86.38.32.254] User jay@targeted-domain.com calling patch message, owner: jay@targeted-domain.com, count: 1, folder: inbox
07:35:44.635 [86.38.32.254] User jay@targeted-domain.com calling patch message, owner: jay@targeted-domain.com, count: 1, folder: inbox
07:35:55.906 [86.38.32.254] User jay@targeted-domain.com calling patch message, owner: jay@targeted-domain.com, count: 1, folder: archive\inbox - 2022
07:36:10.054 [86.38.32.254] User jay@targeted-domain.com calling patch message, owner: jay@targeted-domain.com, count: 1, folder: archive\inbox - 2022
07:36:15.181 [86.38.32.254] User jay@targeted-domain.com calling patch message, owner: jay@targeted-domain.com, count: 1, folder: archive\inbox - 2022
07:36:17.167 [86.38.32.254] User jay@targeted-domain.com calling patch message, owner: jay@targeted-domain.com, count: 1, folder: archive\inbox - 2022
07:36:25.640 [86.38.32.254] User jay@targeted-domain.com calling patch message, owner: jay@targeted-domain.com, count: 1, folder: archive\inbox - 2022
07:36:29.908 [86.38.32.254] User jay@targeted-domain.com calling patch message, owner: jay@targeted-domain.com, count: 1, folder: archive\inbox - 2022
07:36:32.566 [86.38.32.254] User jay@targeted-domain.com calling patch message, owner: jay@targeted-domain.com, count: 1, folder: archive\inbox - 2022
07:37:03.407 [86.38.32.254] User jay@targeted-domain.com calling patch message, owner: jay@targeted-domain.com, count: 1, folder: archive\inbox - 2021 and 2020
07:37:58.481 [86.38.32.254] User jay@targeted-domain.com logging out
07:38:23.353 [86.38.32.254] Webmail Attempting to login user: jimmy@targeted-domain.com
07:38:23.353 [86.38.32.254] Webmail Login successful: With user jimmy@targeted-domain.com
07:39:05.781 [86.38.32.254] User jimmy@targeted-domain.com calling patch message, owner: jimmy@targeted-domain.com, count: 1, folder: inbox
07:39:09.266 [86.38.32.254] User jimmy@targeted-domain.com calling patch message, owner: jimmy@targeted-domain.com, count: 1, folder: inbox
07:39:11.048 [86.38.32.254] User jimmy@targeted-domain.com calling patch message, owner: jimmy@targeted-domain.com, count: 1, folder: inbox
07:39:11.579 [86.38.32.254] User jimmy@targeted-domain.com calling patch message, owner: jimmy@targeted-domain.com, count: 1, folder: inbox
07:39:19.662 [86.38.32.254] User jimmy@targeted-domain.com calling patch message, owner: jimmy@targeted-domain.com, count: 1, folder: inbox
07:40:32.855 [86.38.32.254] User jimmy@targeted-domain.com logging out
07:41:32.901 [86.38.32.254] Webmail Attempting to login user: joanna@targeted-domain.com
07:41:32.901 [86.38.32.254] Webmail Login successful: With user joanna@targeted-domain.com
07:41:41.952 [86.38.32.254] User joanna@targeted-domain.com calling patch message, owner: joanna@targeted-domain.com, count: 1, folder: inbox
07:42:08.416 [86.38.32.254] User joanna@targeted-domain.com calling patch message, owner: joanna@targeted-domain.com, count: 1, folder: inbox
07:42:11.527 [86.38.32.254] User joanna@targeted-domain.com calling patch message, owner: joanna@targeted-domain.com, count: 1, folder: inbox
07:42:16.889 [86.38.32.254] User joanna@targeted-domain.com calling patch message, owner: joanna@targeted-domain.com, count: 1, folder: inbox
07:43:39.679 [86.38.32.254] User joanna@targeted-domain.com logging out
07:44:12.542 [86.38.32.254] Webmail Attempting to login user: johan@targeted-domain.com
07:44:12.542 [86.38.32.254] Webmail Login failed: Incorrect password for user [johan@targeted-domain.com]
07:44:12.542 [86.38.32.254] Webmail Login failed: Invalid username (johan@targeted-domain.com) and password combination.
07:44:43.795 [86.38.32.254] Webmail Attempting to login user: johan@targeted-domain.com
07:44:43.795 [86.38.32.254] Webmail Login failed: Incorrect password for user [johan@targeted-domain.com]
07:44:43.795 [86.38.32.254] Webmail Login failed: Invalid username (johan@targeted-domain.com) and password combination.
07:47:52.450 [86.38.32.254] User frank@targeted-domain.com logging out
07:53:41.194 [185.243.57.228] Webmail Attempting to login user: stephanie@targeted-domain.com
07:53:41.194 [185.243.57.228] Webmail Login failed: Incorrect password for user [stephanie@targeted-domain.com]
07:53:41.194 [185.243.57.228] Webmail Login failed: Invalid username (stephanie@targeted-domain.com) and password combination.
08:29:18.535 [185.243.57.228] Webmail Attempting to login user: shop@targeted-domain.com
08:29:18.535 [185.243.57.228] Webmail Login successful: With user shop@targeted-domain.com
08:29:27.446 [185.243.57.228] User shop@targeted-domain.com calling set mail settings
08:29:34.919 [185.243.57.228] User shop@targeted-domain.com calling patch message, owner: shop@targeted-domain.com, count: 1, folder: inbox
08:29:44.237 [185.243.57.228] User shop@targeted-domain.com calling patch message, owner: shop@targeted-domain.com, count: 1, folder: inbox
08:29:45.081 [185.243.57.228] User shop@targeted-domain.com calling patch message, owner: shop@targeted-domain.com, count: 1, folder: inbox
08:30:05.482 [185.243.57.228] User shop@targeted-domain.com calling patch message, owner: shop@targeted-domain.com, count: 1, folder: inbox
08:31:01.495 [185.243.57.228] User shop@targeted-domain.com calling patch message, owner: shop@targeted-domain.com, count: 1, folder: archive\inbox - 2022
08:31:12.860 [185.243.57.228] User shop@targeted-domain.com logging out
08:31:30.212 [185.243.57.228] Webmail Attempting to login user: ron@targeted-domain.com
08:31:30.212 [185.243.57.228] Webmail Login successful: With user ron@targeted-domain.com
08:33:11.323 [185.243.57.228] User ron@targeted-domain.com logging out
08:33:30.472 [185.243.57.228] Webmail Attempting to login user: red@targeted-domain.com
08:33:30.472 [185.243.57.228] Webmail Login failed: Incorrect password for user [red@targeted-domain.com]
08:33:30.472 [185.243.57.228] Webmail Login failed: Invalid username (red@targeted-domain.com) and password combination.
08:33:40.133 [185.243.57.228] Webmail Attempting to login user: red@targeted-domain.com
08:33:40.133 [185.243.57.228] Webmail Login successful: With user red@targeted-domain.com
08:33:42.682 [185.243.57.228] User red@targeted-domain.com calling set mail settings
08:36:08.606 [185.243.57.228] User red@targeted-domain.com logging out
08:36:31.226 [185.243.57.228] Webmail Attempting to login user: peggy@targeted-domain.com
08:36:31.226 [185.243.57.228] Webmail Login successful: With user peggy@targeted-domain.com
08:38:34.178 [185.243.57.228] User peggy@targeted-domain.com logging out
08:39:19.639 [185.243.57.228] Webmail Attempting to login user: michelle@targeted-domain.com
08:39:19.639 [185.243.57.228] Webmail Login successful: With user michelle@targeted-domain.com
08:43:21.496 [185.243.57.228] Webmail Attempting to login user: frank@targeted-domain.com
08:43:21.496 [185.243.57.228] Webmail Login successful: With user frank@targeted-domain.com
08:44:23.144 [185.243.57.228] User frank@targeted-domain.com calling delete messages, folder: archive, owner: frank@targeted-domain.com, all: , count: 1
08:55:37.161 [185.243.57.228] User michelle@targeted-domain.com logging out
08:55:55.482 [185.243.57.228] Webmail Attempting to login user: melissa@targeted-domain.com
08:55:55.482 [185.243.57.228] Webmail Login failed: Incorrect password for user [melissa@targeted-domain.com]
08:55:55.482 [185.243.57.228] Webmail Login failed: Invalid username (melissa@targeted-domain.com) and password combination.
08:56:03.564 [185.243.57.228] Webmail Attempting to login user: melissa@targeted-domain.com
08:56:03.564 [185.243.57.228] Webmail Login failed: Incorrect password for user [melissa@targeted-domain.com]
08:56:03.564 [185.243.57.228] Webmail Login failed: Invalid username (melissa@targeted-domain.com) and password combination.
08:56:18.869 [185.243.57.228] Webmail Attempting to login user: melissa@targeted-domain.com
08:56:18.869 [185.243.57.228] Webmail Login failed: Incorrect password for user [melissa@targeted-domain.com]
08:56:18.869 [185.243.57.228] Webmail Login failed: Invalid username (melissa@targeted-domain.com) and password combination.
08:56:57.138 [69.67.150.205] Webmail Attempting to login user: marina@targeted-domain.com
08:56:57.138 [69.67.150.205] Webmail Login failed: Incorrect password for user [marina@targeted-domain.com]
08:56:57.138 [69.67.150.205] Webmail Login failed: Invalid username (marina@targeted-domain.com) and password combination.
08:57:16.897 [69.67.150.205] Webmail Attempting to login user: marina@targeted-domain.com
08:57:16.897 [69.67.150.205] Webmail Login failed: Incorrect password for user [marina@targeted-domain.com]
08:57:16.897 [69.67.150.205] Webmail Login failed: Invalid username (marina@targeted-domain.com) and password combination.
08:58:24.477 [69.67.150.205] Webmail Attempting to login user: todd@targeted-domain.com
08:58:24.477 [69.67.150.205] Webmail Login successful: With user todd@targeted-domain.com
08:58:55.022 [69.67.150.205] Webmail Attempting to login user: marina@targeted-domain.com
08:58:55.022 [69.67.150.205] Webmail Login failed: Incorrect password for user [marina@targeted-domain.com]
08:58:55.022 [69.67.150.205] Webmail Login failed: Invalid username (marina@targeted-domain.com) and password combination.
08:58:59.276 [69.67.150.205] Webmail Attempting to login user: marina@targeted-domain.com
08:58:59.276 [69.67.150.205] Webmail Login failed: Incorrect password for user [marina@targeted-domain.com]
08:58:59.276 [69.67.150.205] Webmail Login failed: Invalid username (marina@targeted-domain.com) and password combination.
09:00:12.547 [69.67.150.205] User todd@targeted-domain.com calling move messages, owner: todd@targeted-domain.com, folder: inbox, newOwner: todd@targeted-domain.com, new folder: archive\inbox - 2019, count: 1
09:09:24.295 [69.67.150.205] User todd@targeted-domain.com calling get user app passwords for email , setupGuid: false isImpersonating: False
09:10:47.677 [69.67.150.205] User todd@targeted-domain.com calling patch message, owner: todd@targeted-domain.com, count: 2, folder: inbox
09:18:30.394 [69.67.150.205] User todd@targeted-domain.com calling patch message, owner: todd@targeted-domain.com, count: 1, folder: inbox
09:18:47.559 [69.67.150.205] User todd@targeted-domain.com calling patch message, owner: todd@targeted-domain.com, count: 1, folder: inbox
09:24:05.462 [69.67.150.205] User todd@targeted-domain.com logging out
09:24:48.911 [69.67.150.205] Webmail Attempting to login user: April@targeted-domain.com
09:24:48.911 [69.67.150.205] Webmail Login failed: Incorrect password for user [april@targeted-domain.com]
09:24:48.911 [69.67.150.205] Webmail Login failed: Invalid username (April@targeted-domain.com) and password combination.
09:27:20.879 [67.219.147.12] Webmail Attempting to login user: todd@targeted-domain.com
09:27:20.879 [67.219.147.12] Webmail Login successful: With user todd@targeted-domain.com
10:57:53.955 [67.219.147.12] User todd@targeted-domain.com calling patch message, owner: todd@targeted-domain.com, count: 1, folder: inbox
10:58:04.679 [67.219.147.12] User todd@targeted-domain.com calling patch message, owner: todd@targeted-domain.com, count: 1, folder: inbox
10:58:23.501 [67.219.147.12] User todd@targeted-domain.com calling patch message, owner: todd@targeted-domain.com, count: 1, folder: inbox
10:58:43.885 [67.219.147.12] User todd@targeted-domain.com calling patch message, owner: todd@targeted-domain.com, count: 3, folder: inbox
11:03:48.462 [67.219.147.12] User frank@targeted-domain.com calling patch message, owner: frank@targeted-domain.com, count: 1, folder: archive
11:03:49.837 [67.219.147.12] User frank@targeted-domain.com calling move messages, owner: frank@targeted-domain.com, folder: archive, newOwner: frank@targeted-domain.com, new folder: inbox, count: 1
11:18:31.633 [67.219.147.12] User frank@targeted-domain.com calling patch message, owner: frank@targeted-domain.com, count: 1, folder: inbox
11:18:36.792 [67.219.147.12] User frank@targeted-domain.com calling patch message, owner: frank@targeted-domain.com, count: 1, folder: inbox
16:14:32.276 [74.95.13.185] SMTP Attempting to login user: jay@targeted-domain.com
16:14:32.276 [74.95.13.185] SMTP Login failed: Incorrect password for user [jay@targeted-domain.com]
16:14:32.276 [74.95.13.185] SMTP Login failed: Invalid username (jay@targeted-domain.com) and password combination.
17:14:09.528 [50.78.214.57] Webmail Attempting to login user: frank@targeted-domain.com
17:14:09.528 [50.78.214.57] Webmail Login successful: With user frank@targeted-domain.com

--> ADMINISTRATOR LOGIN FOR DOMAIN <-- THIS IS AN AUTHORIZED LOGIN TO RESET PASSWORDS
17:20:32.092 [172.11.79.203] User [xxxxx-admin] as targeted-domain-admin@targeted-domain.com calling protocol usage and limits info
17:20:33.561 Attempt to show password for account: todd@targeted-domain.com made by: targeted-domain-admin@targeted-domain.com. Impersonating: False, Result: True
17:50:08.583 [172.11.79.203] User [xxxxx-admin] calling impersonate user, email: frank@targeted-domain.com, isImpersonating: False, adminId: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
17:51:49.460 [172.11.79.203] User [xxxxx-admin] as frank@targeted-domain.com calling patch message, owner: frank@targeted-domain.com, count: 1, folder: junk e-mail
17:51:54.790 [172.11.79.203] User [xxxxx-admin] as frank@targeted-domain.com calling Trust Senders, owner: frank@targeted-domain.com, count: 1, folder: junk e-mail
17:52:56.100 [172.11.79.203] User [xxxxx-admin] as frank@targeted-domain.com calling edit folder, folder: archive, new folder: Archive Folder, parent folder: , new parent: 
--> END ADMINISTRATOR LOGIN FOR DOMAIN <-- THIS IS AN AUTHORIZED LOGIN TO RESET PASSWORDS

Another time, we had a user delete their entire inbox via webmail but we were able to show that the IP that called the delete command was the same IP the user connected via for over a month with normal activity.

Having said all this, there really should be a separate webmail log in the system just like the other "protocols" and "modules" have rather than having to grep out the data from the admin log.

Another "concept" would be to be able to turn an "audit log" for a particular user or domain that would just be a literal "verbose activity log, regardless of protocol - able to be dumped into one file for that domain or user. Have the ability to automatically turn it off after a set period even for those who forget.
MailEnable survivor / convert --
3
Sébastien Riccio Replied
Another "concept" would be to be able to turn an "audit log" for a particular user or domain that would just be a literal "verbose activity log, regardless of protocol - able to be dumped into one file for that domain or user. Have the ability to automatically turn it off after a set period even for those who forget.

+10 that's something I had suggested/ asked multiple times since a few years... 

For example here:
https://portal.smartertools.com/community/a94148/enable-detailed-imap-log-for-a-specific-mailbox.aspx

Never had a feedback about it :'(
Sébastien Riccio System & Network Admin https://swisscenter.com
0
J. LaDow Replied
I should renew our support agreement and update before I request features, but when we do, I will start a proper thread and request for what I'm describing - as this would be more of a combined log - all that selected domain or user's activity (regardless of but identified by protocol), would go into this output stream.
MailEnable survivor / convert --
0
Sabatino Replied
@Gabriele

also the real time log style icewarp would be very useful.

I'll make it short.

Once you have the client's IP, monitor the client's real time activities on a protocol like smtp (coupled with delivery) possibly.
This is very useful during customer support

Sabatino Traini Chief Information Officer Genial s.r.l. Martinsicuro - Italy

Reply to Thread

Enter the verification text