|
User has lost e-mails
One of my users has lost all of their e-mails in their inbox from before July 10th.
They are currently using IMAP to access their mailbox.
I checked /var/log/maillog and it shows up a lot of entries for both POP3 and IMAP:
Quote:
Jul 18 09:57:08 flake pop3d: LOGIN, user=email@domain.com, ip=[::ffff:some.ip.address], port=[64262]
Jul 18 09:57:08 flake pop3d: LOGOUT, user=email@domain.com, ip=[::ffff:some.ip.address], port=[64262], top=0, retr=0, rcvd=29, sent=98, time=0
Jul 18 10:02:08 flake pop3d: LOGIN, user=email@domain.com, ip=[::ffff:some.ip.address], port=[64522]
Jul 18 10:02:08 flake pop3d: LOGOUT, user=email@domain.com, ip=[::ffff:some.ip.address], port=[64522], top=0, retr=0, rcvd=29, sent=98, time=0
Jul 18 10:07:08 flake pop3d: LOGIN, user=email@domain.com, ip=[::ffff:some.ip.address], port=[64571]
Jul 18 10:07:08 flake pop3d: LOGOUT, user=email@domain.com, ip=[::ffff:some.ip.address], port=[64571], top=0, retr=0, rcvd=29, sent=98, time=0
Jul 18 10:11:23 flake imapd: LOGIN, user=email@domain.com, ip=[::ffff:127.0.0.1], port=[43881], protocol=IMAP
Jul 18 10:11:23 flake imapd: DISCONNECTED, user=email@domain.com, ip=[::ffff:127.0.0.1], headers=0, body=0, rcvd=0, sent=19, time=0
Jul 18 10:11:24 flake imapd: LOGIN, user=email@domain.com, ip=[::ffff:127.0.0.1], port=[43882], protocol=IMAP
Jul 18 10:11:24 flake imapd: LOGOUT, user=email@domain.com, ip=[::ffff:127.0.0.1], headers=0, body=0, rcvd=30, sent=238, time=0
Jul 18 10:11:24 flake imapd: LOGIN, user=email@domain.com, ip=[::ffff:127.0.0.1], port=[43883], protocol=IMAP
Jul 18 10:11:24 flake imapd: LOGOUT, user=email@domain.com, ip=[::ffff:127.0.0.1], headers=3740, body=0, rcvd=596, sent=9172, time=0
Jul 18 10:11:24 flake imapd: LOGIN, user=email@domain.com, ip=[::ffff:127.0.0.1], port=[43884], protocol=IMAP
Jul 18 10:11:24 flake imapd: LOGOUT, user=email@domain.com, ip=[::ffff:127.0.0.1], headers=0, body=0, rcvd=439, sent=1508, time=0
Jul 18 10:12:08 flake pop3d: LOGIN, user=email@domain.com, ip=[::ffff:some.ip.address], port=[64704]
Jul 18 10:12:08 flake pop3d: LOGOUT, user=email@domain.com, ip=[::ffff:some.ip.address], port=[64704], top=0, retr=0, rcvd=29, sent=98, time=0
Jul 18 10:12:26 flake imapd: LOGIN, user=email@domain.com, ip=[::ffff:127.0.0.1], port=[43892], protocol=IMAP
Jul 18 10:12:26 flake imapd: LOGOUT, user=email@domain.com, ip=[::ffff:127.0.0.1], headers=0, body=0, rcvd=87, sent=394, time=0
Jul 18 10:13:17 flake imapd: LOGIN, user=email@domain.com, ip=[::ffff:127.0.0.1], port=[43918], protocol=IMAP
Jul 18 10:13:17 flake imapd: LOGOUT, user=email@domain.com, ip=[::ffff:127.0.0.1], headers=0, body=0, rcvd=990, sent=205, time=0
Jul 18 10:13:18 flake imapd: LOGIN, user=email@domain.com, ip=[::ffff:127.0.0.1], port=[43919], protocol=IMAP
Jul 18 10:13:18 flake imapd: LOGOUT, user=email@domain.com, ip=[::ffff:127.0.0.1], headers=3740, body=0, rcvd=328, sent=8259, time=0
Jul 18 10:13:46 flake imapd: LOGIN, user=email@domain.com, ip=[::ffff:127.0.0.1], port=[43930], protocol=IMAP
Jul 18 10:13:46 flake imapd: LOGOUT, user=email@domain.com, ip=[::ffff:127.0.0.1], headers=3713, body=0, rcvd=332, sent=8219, time=0
Jul 18 10:13:50 flake imapd: LOGIN, user=email@domain.com, ip=[::ffff:127.0.0.1], port=[43932], protocol=IMAP
Jul 18 10:13:50 flake imapd: LOGOUT, user=email@domain.com, ip=[::ffff:127.0.0.1], headers=0, body=1600, rcvd=151, sent=2302, time=0
Jul 18 10:13:56 flake imapd: LOGIN, user=email@domain.com, ip=[::ffff:127.0.0.1], port=[43933], protocol=IMAP
Jul 18 10:13:56 flake imapd: LOGOUT, user=email@domain.com, ip=[::ffff:127.0.0.1], headers=0, body=0, rcvd=169, sent=624, time=0
Jul 18 10:13:57 flake imapd: LOGIN, user=email@domain.com, ip=[::ffff:127.0.0.1], port=[43934], protocol=IMAP
Jul 18 10:13:57 flake imapd: LOGOUT, user=email@domain.com, ip=[::ffff:127.0.0.1], headers=3740, body=0, rcvd=328, sent=8259, time=0
Jul 18 10:17:08 flake pop3d: LOGIN, user=email@domain.com, ip=[::ffff:some.ip.address], port=[64802]
Jul 18 10:17:08 flake pop3d: LOGOUT, user=email@domain.com, ip=[::ffff:some.ip.address], port=[64802], top=0, retr=0, rcvd=29, sent=98, time=0
Jul 18 10:22:08 flake pop3d: LOGIN, user=email@domain.com, ip=[::ffff:some.ip.address], port=[64890]
Jul 18 10:22:09 flake pop3d: LOGOUT, user=email@domain.com, ip=[::ffff:some.ip.address], port=[64890], top=0, retr=0, rcvd=29, sent=98, time=1
Jul 18 10:27:08 flake pop3d: LOGIN, user=email@domain.com, ip=[::ffff:some.ip.address], port=[64952]
Jul 18 10:27:08 flake pop3d: LOGOUT, user=email@domain.com, ip=[::ffff:some.ip.address], port=[64952], top=0, retr=0, rcvd=29, sent=98, time=0
|
It seems as though there is something accessing the account via POP3 every 5 minutes. I don't know if the IP address listed against the POP3 records is the clients or not, I will find out.
So, I have two questions:
- there are currently e-mails since July 10th that are still sitting in her mailbox, if something is accessing the mailbox via POP3 why haven't these been downloaded?
- is there any way to tell when/where these e-mails were downloaded/removed?
Thanks
|