Community Forums
Connect with us on LinkedIn
Community Notice
User has lost e-mails
  
+ Reply to Thread
Results 1 to 3 of 3
  1. 07-17-2009 08:29 PM #1
    n000b
    n000b is offline
    Member
    Join Date
    Apr 2005
    Posts
    142

    Default User has lost e-mails

    One of my users has lost all of their e-mails in their inbox from before July 10th.

    They are currently using IMAP to access their mailbox.

    I checked /var/log/maillog and it shows up a lot of entries for both POP3 and IMAP:

    Jul 18 09:57:08 flake pop3d: LOGIN, user=email@domain.com, ip=[::ffff:some.ip.address], port=[64262]
    Jul 18 09:57:08 flake pop3d: LOGOUT, user=email@domain.com, ip=[::ffff:some.ip.address], port=[64262], top=0, retr=0, rcvd=29, sent=98, time=0
    Jul 18 10:02:08 flake pop3d: LOGIN, user=email@domain.com, ip=[::ffff:some.ip.address], port=[64522]
    Jul 18 10:02:08 flake pop3d: LOGOUT, user=email@domain.com, ip=[::ffff:some.ip.address], port=[64522], top=0, retr=0, rcvd=29, sent=98, time=0
    Jul 18 10:07:08 flake pop3d: LOGIN, user=email@domain.com, ip=[::ffff:some.ip.address], port=[64571]
    Jul 18 10:07:08 flake pop3d: LOGOUT, user=email@domain.com, ip=[::ffff:some.ip.address], port=[64571], top=0, retr=0, rcvd=29, sent=98, time=0
    Jul 18 10:11:23 flake imapd: LOGIN, user=email@domain.com, ip=[::ffff:127.0.0.1], port=[43881], protocol=IMAP
    Jul 18 10:11:23 flake imapd: DISCONNECTED, user=email@domain.com, ip=[::ffff:127.0.0.1], headers=0, body=0, rcvd=0, sent=19, time=0
    Jul 18 10:11:24 flake imapd: LOGIN, user=email@domain.com, ip=[::ffff:127.0.0.1], port=[43882], protocol=IMAP
    Jul 18 10:11:24 flake imapd: LOGOUT, user=email@domain.com, ip=[::ffff:127.0.0.1], headers=0, body=0, rcvd=30, sent=238, time=0
    Jul 18 10:11:24 flake imapd: LOGIN, user=email@domain.com, ip=[::ffff:127.0.0.1], port=[43883], protocol=IMAP
    Jul 18 10:11:24 flake imapd: LOGOUT, user=email@domain.com, ip=[::ffff:127.0.0.1], headers=3740, body=0, rcvd=596, sent=9172, time=0
    Jul 18 10:11:24 flake imapd: LOGIN, user=email@domain.com, ip=[::ffff:127.0.0.1], port=[43884], protocol=IMAP
    Jul 18 10:11:24 flake imapd: LOGOUT, user=email@domain.com, ip=[::ffff:127.0.0.1], headers=0, body=0, rcvd=439, sent=1508, time=0
    Jul 18 10:12:08 flake pop3d: LOGIN, user=email@domain.com, ip=[::ffff:some.ip.address], port=[64704]
    Jul 18 10:12:08 flake pop3d: LOGOUT, user=email@domain.com, ip=[::ffff:some.ip.address], port=[64704], top=0, retr=0, rcvd=29, sent=98, time=0
    Jul 18 10:12:26 flake imapd: LOGIN, user=email@domain.com, ip=[::ffff:127.0.0.1], port=[43892], protocol=IMAP
    Jul 18 10:12:26 flake imapd: LOGOUT, user=email@domain.com, ip=[::ffff:127.0.0.1], headers=0, body=0, rcvd=87, sent=394, time=0
    Jul 18 10:13:17 flake imapd: LOGIN, user=email@domain.com, ip=[::ffff:127.0.0.1], port=[43918], protocol=IMAP
    Jul 18 10:13:17 flake imapd: LOGOUT, user=email@domain.com, ip=[::ffff:127.0.0.1], headers=0, body=0, rcvd=990, sent=205, time=0
    Jul 18 10:13:18 flake imapd: LOGIN, user=email@domain.com, ip=[::ffff:127.0.0.1], port=[43919], protocol=IMAP
    Jul 18 10:13:18 flake imapd: LOGOUT, user=email@domain.com, ip=[::ffff:127.0.0.1], headers=3740, body=0, rcvd=328, sent=8259, time=0
    Jul 18 10:13:46 flake imapd: LOGIN, user=email@domain.com, ip=[::ffff:127.0.0.1], port=[43930], protocol=IMAP
    Jul 18 10:13:46 flake imapd: LOGOUT, user=email@domain.com, ip=[::ffff:127.0.0.1], headers=3713, body=0, rcvd=332, sent=8219, time=0
    Jul 18 10:13:50 flake imapd: LOGIN, user=email@domain.com, ip=[::ffff:127.0.0.1], port=[43932], protocol=IMAP
    Jul 18 10:13:50 flake imapd: LOGOUT, user=email@domain.com, ip=[::ffff:127.0.0.1], headers=0, body=1600, rcvd=151, sent=2302, time=0
    Jul 18 10:13:56 flake imapd: LOGIN, user=email@domain.com, ip=[::ffff:127.0.0.1], port=[43933], protocol=IMAP
    Jul 18 10:13:56 flake imapd: LOGOUT, user=email@domain.com, ip=[::ffff:127.0.0.1], headers=0, body=0, rcvd=169, sent=624, time=0
    Jul 18 10:13:57 flake imapd: LOGIN, user=email@domain.com, ip=[::ffff:127.0.0.1], port=[43934], protocol=IMAP
    Jul 18 10:13:57 flake imapd: LOGOUT, user=email@domain.com, ip=[::ffff:127.0.0.1], headers=3740, body=0, rcvd=328, sent=8259, time=0
    Jul 18 10:17:08 flake pop3d: LOGIN, user=email@domain.com, ip=[::ffff:some.ip.address], port=[64802]
    Jul 18 10:17:08 flake pop3d: LOGOUT, user=email@domain.com, ip=[::ffff:some.ip.address], port=[64802], top=0, retr=0, rcvd=29, sent=98, time=0
    Jul 18 10:22:08 flake pop3d: LOGIN, user=email@domain.com, ip=[::ffff:some.ip.address], port=[64890]
    Jul 18 10:22:09 flake pop3d: LOGOUT, user=email@domain.com, ip=[::ffff:some.ip.address], port=[64890], top=0, retr=0, rcvd=29, sent=98, time=1
    Jul 18 10:27:08 flake pop3d: LOGIN, user=email@domain.com, ip=[::ffff:some.ip.address], port=[64952]
    Jul 18 10:27:08 flake pop3d: LOGOUT, user=email@domain.com, ip=[::ffff:some.ip.address], port=[64952], top=0, retr=0, rcvd=29, sent=98, time=0
    It seems as though there is something accessing the account via POP3 every 5 minutes. I don't know if the IP address listed against the POP3 records is the clients or not, I will find out.

    So, I have two questions:

    - there are currently e-mails since July 10th that are still sitting in her mailbox, if something is accessing the mailbox via POP3 why haven't these been downloaded?
    - is there any way to tell when/where these e-mails were downloaded/removed?

    Thanks
    Reply With Quote Reply With Quote
  2. 07-17-2009 09:39 PM #2
    Spiral
    Spiral is offline
    BANNED
    Join Date
    Jun 2005
    Location
    Wild Wild West
    Posts
    2,025
    Send a message via AIM to Spiral

    Default

    POP3 by default deletes mail from the server unless specifically
    programmed to do otherwise which means from your log someone
    is likely checking the account using a POP3 client and erasing
    the messages in the process.

    If the messages have been read as from SOME of the webmail
    clients, they might not be picked up by the POP3 client; It
    has to do with how messages are flagged as read on the
    mail system that Cpanel typically uses.

    The big question is WHO is using the POP3 client. Since it would
    require password authentication to login and subsquently delete
    message with POP3, I would strongly suspect it is your client
    who deleted their own messages not knowing what they were
    doing and most likely the one with the POP3 client.

    I would check their previous access IP address and compare
    it to what you have on record for the POP3 client to confirm
    to see if it is at least the same ISP. If so, you probably should
    ask the client what mail programs they have recently setup
    on their computer (because that is probably where their
    missing mesages are now located if they didn't delete them)
    Reply With Quote Reply With Quote
  3. 07-18-2009 12:55 AM #3
    n000b
    n000b is offline
    Member
    Join Date
    Apr 2005
    Posts
    142

    Default

    Thanks, that information is very useful I will get in touch with the client and see if they have been downloading the e-mails somehow.
    Reply With Quote Reply With Quote
«   Turn on SMTP Authentication | mail srv max rcpt number »     
Similar Threads & Tags
Similar threads

  1. Impossible to configure "default address" for lost mails when using Spanish language
    By fenixer in forum cPanel and WHM Discussions
    Replies: 2
    Last Post: 08-24-2007, 09:18 AM
  2. Lost mails
    By jameshsi in forum cPanel and WHM Discussions
    Replies: 1
    Last Post: 02-14-2007, 11:03 PM
  3. Limiting user mails user nobody can send per hour?
    By bsasninja in forum cPanel and WHM Discussions
    Replies: 2
    Last Post: 08-14-2006, 01:28 AM
  4. i lost user name & password
    By ebenezer in forum New User Questions
    Replies: 3
    Last Post: 03-23-2006, 04:40 AM
Linkedin       Facebook       Twitter       RSS       Flickr       YouTube