webmail log

Question asked by Sabatino - Yesterday at 2:00 AM

Answered

I have a client who only uses webmail

He deleted all the messages and tells me he doesn't remember doing it.

I wanted to find some references, but I realized that I can't find a log of the activities done via webmail

I expected to find a login maybe on imap.

But I didn't find anything

Sabatino Traini
Chief Information Officer

Genial s.r.l.
Martinsicuro - Italy

8 Replies

Reply to Thread

Matt Petty Replied

Yesterday at 7:08 AM

Employee Post

Here's a cool trick, the "change_number" can actually be used to get a Date, down to the second of when the change was made.

Copy that number and then run it through this JS function (use an online compiler or your browsers console to do this)
function toUtcDate(cn) { return cn === 0 ? new Date(0) : new Date(2018, 0, 1, 0, 0, cn >> 16);}

You could go into the folders.json for the folders they modified (unless the folders themselves are gone) and you could potentially use the changenumbers to atleast track down a Date/Time of the modifications.

Matt Petty Senior Software Developer SmarterTools Inc. www.smartertools.com

Sabatino Replied

Yesterday at 9:12 AM

Thanks, but it doesn't solve my problem.

I would like to have a log of the operations done via webmail.

As it happens with the imap log where I find

[2025.06.05] 18:08:40.251 [xxx.xxx.xxx.xxx][51151625] command: A191 UID MOVE 152044 "Deleted Items"

for a message moved to the trash

and

[2025.06.05] 18:09:43.506 [xxx.xxx.xxx.xxx][51151625] command: A193 UID STORE 152041 +FLAGS.SILENT (\Deleted)

[2025.06.05] 18:09:43.508 [xxx.xxx.xxx.xxx][51151625] response: A193 OK STORE completed

[2025.06.05] 18:09:43.528 [xxx.xxx.xxx.xxx][51151625] command: A194 UID EXPUNGE 152041

for a permanently deleted message

Sabatino Traini Chief Information Officer Genial s.r.l. Martinsicuro - Italy

Tony Scholz Replied

Yesterday at 10:11 AM

Employee Post Marked As Answer

The administrative log will show when something is done via webmail.

[2025.06.05] 10:10:21.212 [10.1.1.80] User admin@ as Aaron@domain.tld calling delete messages, folder: Inbox, owner: Aaron@domain.tld, all: , count: 0
[2025.06.05] 10:10:23.290 [10.1.1.80] User admin@ as Aaron@domain.tld calling patch message, owner: Aaron@domain.tld, count: 1, folder: Deleted Items
[2025.06.05] 10:10:26.244 [10.1.1.80] User admin@ as Aaron@domain.tld calling delete messages, folder: Deleted Items, owner: Aaron@domain.tld, all: , count: 0

Tony Scholz System/Network Administrator SmarterTools Inc. www.smartertools.com

Sabatino Replied

Today at 12:54 AM

I have to tell you that I am very perplexed.

I did some tests on a test account

I deleted 3 messages first using the trash

Then I deleted 3 messages permanently (no trash)

Then I used the delete all folder content function

[2025.06.06] 09:45:15.593 [xxx.xxx.xxx.xxx] User user@domain.tld calling delete messages, folder: oldserver/INBOX, owner: user@domain.tld, all: , count: 3

[2025.06.06] 09:45:53.846 [xxx.xxx.xxx.xxx] User user@domain.tld calling delete messages, folder: oldserver/INBOX, owner: user@domain.tld, all: , count: 3

[2025.06.06] 09:46:31.697 [xxx.xxx.xxx.xxx] User user@domain.tld calling delete messages, folder: oldserver/INBOX, owner: user@domain.tld, all: , count: 0

here's what I found in the administrative log

1) There is no distinction between messages that end up in the trash and not

2) Deleting all the contents of the folder the count=0

Sabatino Traini Chief Information Officer Genial s.r.l. Martinsicuro - Italy

Sabatino Replied

Today at 3:37 AM

The problem is that to date a customer who tells me that he has not deleted anything and that the problem is on the server I have no way to give him any proof.

I would like to have a log that tells me

at xx hours of day yy you deleted xxxx messages from the ip address... via (webmail, imap, etc)

Sabatino Traini Chief Information Officer Genial s.r.l. Martinsicuro - Italy