User has lost e-mails

[n000b]

One of my users has lost all of their e-mails in their inbox from before July 10th.

They are currently using IMAP to access their mailbox.

I checked /var/log/maillog and it shows up a lot of entries for both POP3 and IMAP:

Quote:

Jul 18 09:57:08 flake pop3d: LOGIN, user=email@domain.com, ip=[::ffff:some.ip.address], port=[64262]
Jul 18 09:57:08 flake pop3d: LOGOUT, user=email@domain.com, ip=[::ffff:some.ip.address], port=[64262], top=0, retr=0, rcvd=29, sent=98, time=0
Jul 18 10:02:08 flake pop3d: LOGIN, user=email@domain.com, ip=[::ffff:some.ip.address], port=[64522]
Jul 18 10:02:08 flake pop3d: LOGOUT, user=email@domain.com, ip=[::ffff:some.ip.address], port=[64522], top=0, retr=0, rcvd=29, sent=98, time=0
Jul 18 10:07:08 flake pop3d: LOGIN, user=email@domain.com, ip=[::ffff:some.ip.address], port=[64571]
Jul 18 10:07:08 flake pop3d: LOGOUT, user=email@domain.com, ip=[::ffff:some.ip.address], port=[64571], top=0, retr=0, rcvd=29, sent=98, time=0
Jul 18 10:11:23 flake imapd: LOGIN, user=email@domain.com, ip=[::ffff:127.0.0.1], port=[43881], protocol=IMAP
Jul 18 10:11:23 flake imapd: DISCONNECTED, user=email@domain.com, ip=[::ffff:127.0.0.1], headers=0, body=0, rcvd=0, sent=19, time=0
Jul 18 10:11:24 flake imapd: LOGIN, user=email@domain.com, ip=[::ffff:127.0.0.1], port=[43882], protocol=IMAP
Jul 18 10:11:24 flake imapd: LOGOUT, user=email@domain.com, ip=[::ffff:127.0.0.1], headers=0, body=0, rcvd=30, sent=238, time=0
Jul 18 10:11:24 flake imapd: LOGIN, user=email@domain.com, ip=[::ffff:127.0.0.1], port=[43883], protocol=IMAP
Jul 18 10:11:24 flake imapd: LOGOUT, user=email@domain.com, ip=[::ffff:127.0.0.1], headers=3740, body=0, rcvd=596, sent=9172, time=0
Jul 18 10:11:24 flake imapd: LOGIN, user=email@domain.com, ip=[::ffff:127.0.0.1], port=[43884], protocol=IMAP
Jul 18 10:11:24 flake imapd: LOGOUT, user=email@domain.com, ip=[::ffff:127.0.0.1], headers=0, body=0, rcvd=439, sent=1508, time=0
Jul 18 10:12:08 flake pop3d: LOGIN, user=email@domain.com, ip=[::ffff:some.ip.address], port=[64704]
Jul 18 10:12:08 flake pop3d: LOGOUT, user=email@domain.com, ip=[::ffff:some.ip.address], port=[64704], top=0, retr=0, rcvd=29, sent=98, time=0
Jul 18 10:12:26 flake imapd: LOGIN, user=email@domain.com, ip=[::ffff:127.0.0.1], port=[43892], protocol=IMAP
Jul 18 10:12:26 flake imapd: LOGOUT, user=email@domain.com, ip=[::ffff:127.0.0.1], headers=0, body=0, rcvd=87, sent=394, time=0
Jul 18 10:13:17 flake imapd: LOGIN, user=email@domain.com, ip=[::ffff:127.0.0.1], port=[43918], protocol=IMAP
Jul 18 10:13:17 flake imapd: LOGOUT, user=email@domain.com, ip=[::ffff:127.0.0.1], headers=0, body=0, rcvd=990, sent=205, time=0
Jul 18 10:13:18 flake imapd: LOGIN, user=email@domain.com, ip=[::ffff:127.0.0.1], port=[43919], protocol=IMAP
Jul 18 10:13:18 flake imapd: LOGOUT, user=email@domain.com, ip=[::ffff:127.0.0.1], headers=3740, body=0, rcvd=328, sent=8259, time=0
Jul 18 10:13:46 flake imapd: LOGIN, user=email@domain.com, ip=[::ffff:127.0.0.1], port=[43930], protocol=IMAP
Jul 18 10:13:46 flake imapd: LOGOUT, user=email@domain.com, ip=[::ffff:127.0.0.1], headers=3713, body=0, rcvd=332, sent=8219, time=0
Jul 18 10:13:50 flake imapd: LOGIN, user=email@domain.com, ip=[::ffff:127.0.0.1], port=[43932], protocol=IMAP
Jul 18 10:13:50 flake imapd: LOGOUT, user=email@domain.com, ip=[::ffff:127.0.0.1], headers=0, body=1600, rcvd=151, sent=2302, time=0
Jul 18 10:13:56 flake imapd: LOGIN, user=email@domain.com, ip=[::ffff:127.0.0.1], port=[43933], protocol=IMAP
Jul 18 10:13:56 flake imapd: LOGOUT, user=email@domain.com, ip=[::ffff:127.0.0.1], headers=0, body=0, rcvd=169, sent=624, time=0
Jul 18 10:13:57 flake imapd: LOGIN, user=email@domain.com, ip=[::ffff:127.0.0.1], port=[43934], protocol=IMAP
Jul 18 10:13:57 flake imapd: LOGOUT, user=email@domain.com, ip=[::ffff:127.0.0.1], headers=3740, body=0, rcvd=328, sent=8259, time=0
Jul 18 10:17:08 flake pop3d: LOGIN, user=email@domain.com, ip=[::ffff:some.ip.address], port=[64802]
Jul 18 10:17:08 flake pop3d: LOGOUT, user=email@domain.com, ip=[::ffff:some.ip.address], port=[64802], top=0, retr=0, rcvd=29, sent=98, time=0
Jul 18 10:22:08 flake pop3d: LOGIN, user=email@domain.com, ip=[::ffff:some.ip.address], port=[64890]
Jul 18 10:22:09 flake pop3d: LOGOUT, user=email@domain.com, ip=[::ffff:some.ip.address], port=[64890], top=0, retr=0, rcvd=29, sent=98, time=1
Jul 18 10:27:08 flake pop3d: LOGIN, user=email@domain.com, ip=[::ffff:some.ip.address], port=[64952]
Jul 18 10:27:08 flake pop3d: LOGOUT, user=email@domain.com, ip=[::ffff:some.ip.address], port=[64952], top=0, retr=0, rcvd=29, sent=98, time=0

It seems as though there is something accessing the account via POP3 every 5 minutes. I don't know if the IP address listed against the POP3 records is the clients or not, I will find out.

So, I have two questions:

- there are currently e-mails since July 10th that are still sitting in her mailbox, if something is accessing the mailbox via POP3 why haven't these been downloaded?
- is there any way to tell when/where these e-mails were downloaded/removed?

Thanks

[Spiral]

POP3 by default deletes mail from the server unless specifically
programmed to do otherwise which means from your log someone
is likely checking the account using a POP3 client and erasing
the messages in the process.

If the messages have been read as from SOME of the webmail
clients, they might not be picked up by the POP3 client; It
has to do with how messages are flagged as read on the
mail system that Cpanel typically uses.

The big question is WHO is using the POP3 client. Since it would
require password authentication to login and subsquently delete
message with POP3, I would strongly suspect it is your client
who deleted their own messages not knowing what they were
doing and most likely the one with the POP3 client.

I would check their previous access IP address and compare
it to what you have on record for the POP3 client to confirm
to see if it is at least the same ISP. If so, you probably should
ask the client what mail programs they have recently setup
on their computer (because that is probably where their
missing mesages are now located if they didn't delete them)

[n000b]

Thanks, that information is very useful I will get in touch with the client and see if they have been downloading the e-mails somehow.