Debugging POP3 session / Who deleted emails through POP3?

[anton_latvia]

Hello dear community!
I am looking for an answer or solution on a trivial problem. Customer access inbox through POP3 protocol from multiple locations/computers. At some point someone has deleted all emails. Is it possible to identify that session?

Anton

 

[cPRex]

Hey hey! Maybe, but you'll have to dig through logs that may not be that easy to read.

I connected to a personal email account with a POP connection and got these logs inside /var/log/maillog:

Mar  5 11:44:12 host dovecot: pop3-login: Login: user=<[email protected]>, method=PLAIN, rip=1.2.3.4, lip=4.3.2.1, mpid=775047, TLS, session=<P3o9y8y83M5jY/NK>
Mar  5 11:44:12 host dovecot: pop3([email protected])<775047><P3o9y8y83M5jY/NK>: Disconnected: Logged out top=0/0, retr=0/0, del=0/2, size=13955, bytes=6/34
Mar  5 11:44:13 host dovecot: pop3-login: Login: user=<[email protected]>, method=PLAIN, rip=1.2.3.4, lip=4..3.2.1, mpid=775049, TLS, session=<1CBOy8y84M5jY/NK>
Mar  5 11:44:14 host dovecot: pop3([email protected])<775049><1CBOy8y84M5jY/NK>: Disconnected: Logged out top=0/0, retr=2/13989, del=0/2, size=13955, bytes=40/14124

If you're logged in, it doesn't specifically show when the message was deleted in the log until you create a new session. I accessed the account again, and you'll notice the "del=0/2" is updated to 1/2, indicating I deleted one of the two messages on the account.

Mar  5 11:48:42 host dovecot: pop3-login: Login: user=<[email protected]>, method=PLAIN, rip=1.2.3.4, lip=4.3.2.1, mpid=775172, TLS, session=<XLVG28y8ZM9jY/NK>
Mar  5 11:48:42 host dovecot: pop3([email protected])<775172><XLVG28y8ZM9jY/NK>: Disconnected: Logged out top=0/0, retr=0/0, del=1/2, size=13955, bytes=32/174

Hopefully that gets you enough detail to see the IP address of the login that removed the messages.