Deleted emails in one account

[amstel]

Hi,

Someone deleted some emails in one of email account.
Can someone provide me step by step how to find out who did this?

 

[cPRex]

Hey there! The best answer I have for this is "maybe" depending on what logs are available to you.

If you have root access to the server, you can check email access using /var/log/webmail. Here is an example of what the log entry looks like when someone accesses webmail through cPanel:

Jan 26 09:57:46 host dovecot[685590]: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=::1, lip=::1, mpid=2089199, secured, session=<I7HC+Cvzbq0AAAAAAAAAAAAAAAAAAAAB>
Jan 26 09:57:46 host dovecot[685590]: imap([email protected])<2089199><I7HC+Cvzbq0AAAAAAAAAAAAAAAAAAAAB>: Disconnected: Logged out in=82, out=939, bytes=82/939

You'll also see similar entries each time a message is deleted, as it authenticates to the server, deletes the message, and then closes that session.

You could try and correlate those timestamps to the data in /usr/local/cpanel/log/access_log to see if that matches up with an IP address.

For even more detail, you can run this command:

tail -f /usr/local/cpanel/logs/access_log

while deleting a message in webmail, and you will get many lines of output. It's long, so I didn't share it here.

If the message was deleted from an email client, such as Outlook, the logs will be more limited.

Hopefully these details will help you track this down!