Debugging POP3 session / Who deleted emails through POP3?

anton_latvia

Well-Known Member
PartnerNOC
May 11, 2004
403
13
168
Latvia
cPanel Access Level
Root Administrator
Hello dear community!
I am looking for an answer or solution on a trivial problem. Customer access inbox through POP3 protocol from multiple locations/computers. At some point someone has deleted all emails. Is it possible to identify that session? :)

Anton
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
5,425
696
313
cPanel Access Level
Root Administrator
Hey hey! Maybe, but you'll have to dig through logs that may not be that easy to read.

I connected to a personal email account with a POP connection and got these logs inside /var/log/maillog:

Code:
Mar  5 11:44:12 host dovecot: pop3-login: Login: user=<[email protected]>, method=PLAIN, rip=1.2.3.4, lip=4.3.2.1, mpid=775047, TLS, session=<P3o9y8y83M5jY/NK>
Mar  5 11:44:12 host dovecot: pop3([email protected])<775047><P3o9y8y83M5jY/NK>: Disconnected: Logged out top=0/0, retr=0/0, del=0/2, size=13955, bytes=6/34
Mar  5 11:44:13 host dovecot: pop3-login: Login: user=<[email protected]>, method=PLAIN, rip=1.2.3.4, lip=4..3.2.1, mpid=775049, TLS, session=<1CBOy8y84M5jY/NK>
Mar  5 11:44:14 host dovecot: pop3([email protected])<775049><1CBOy8y84M5jY/NK>: Disconnected: Logged out top=0/0, retr=2/13989, del=0/2, size=13955, bytes=40/14124
If you're logged in, it doesn't specifically show when the message was deleted in the log until you create a new session. I accessed the account again, and you'll notice the "del=0/2" is updated to 1/2, indicating I deleted one of the two messages on the account.

Code:
Mar  5 11:48:42 host dovecot: pop3-login: Login: user=<[email protected]>, method=PLAIN, rip=1.2.3.4, lip=4.3.2.1, mpid=775172, TLS, session=<XLVG28y8ZM9jY/NK>
Mar  5 11:48:42 host dovecot: pop3([email protected])<775172><XLVG28y8ZM9jY/NK>: Disconnected: Logged out top=0/0, retr=0/0, del=1/2, size=13955, bytes=32/174
Hopefully that gets you enough detail to see the IP address of the login that removed the messages.