Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » catching a spy...
  •  
ronan

Messages: 5
Karma: 0
Send a private message to this user
I have one user that is convinced that another user is reading his mail. He believes the "suspect" has his password and is checking his webmail. We could change the password but I want to clear this up one way or the other. Is there any way to see if and when someone has logged into webmail?

My plan is to send the "victim" an email with an enticing subject line and tell him not to use webmail and hopefully see if someone logs in to his webmail. That's one idea anyway, any other suggestions would be appreciated..

Thanks!
  •  
sedell

Messages: 1168
Karma: 1
Send a private message to this user
I wish they did have a log that showed logon and logoff events with the IP address that initiated the event. That would make life so much simpler. But, since they don't...

If they're using webmail, you could watch the Active Webmail Sessions tab under Active Connections. The downside is you'd have to refresh the screen often, and would have to see it as it happens.

Do you use a directory server? If so, you can enable HTTP Server, and User Authentication in the debug log. That would show something resembling the following when a user logs on from webmail:
[27/Jan/2009 07:21:47][944] {https} HTTP connection from 192.168.1.35:3601 started
[27/Jan/2009 07:21:47][944] {https} POST request for URI /webmail/dologin.php
[27/Jan/2009 07:21:47][944] {https} User-Agent header: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5
[27/Jan/2009 07:21:47][944] {https} Found dispatcher for url /webmail/dologin.php with service id 80.
[27/Jan/2009 07:21:47][944] {auth} Krb5: entering auth (user test<_a.t_>DOMAIN.COM)
[27/Jan/2009 07:21:48][944] {auth} Krb5 auth: user test<_a.t_>DOMAIN.COM authenticated
[27/Jan/2009 07:21:48][944] {https} Response: HTTP/1.1 302 Found
[27/Jan/2009 07:21:48][944] {https} Request finished in 0.03 s, received 590 bytes, sent 311 bytes


The https module shows the IP address connected from, and the auth module shows who authenticated during that request. It only works if you use a directory server, though. The auth module doesn't record anything for local KMS accounts.

Fair warning - the debug logs get very big very quickly when doing this, and it will be a LOT of data to go through to find the info you're looking for.

Scott
  •  
freakinvibe

Messages: 1529
Karma: 60
Send a private message to this user
In the Admin Console you can go to

Domain Settings > User

Choose the "victim" user

Click on "Status" > "User Statistics"

You can then check the last login times for Web Mail, POP, IMAP and other stuff.

You can also change the user's password and then check the Warning log. If the "spy" tries to log in, you would see something like

HTTP/WebMail: Invalid password for user xxx<_a.t_>xxx.net. Attempt from IP address xxx.xxx.xxx.xxx

[Updated on: Thu, 29 January 2009 13:03]


Dexion AG - The Blackberry Specialists in Switzerland
https://dexionag.ch
  •  
ronan

Messages: 5
Karma: 0
Send a private message to this user
freakinvibe wrote on Thu, 29 January 2009 13:02

In the Admin Console you can go to

Domain Settings > User

Choose the "victim" user

Click on "Status" > "User Statistics"

You can then check the last login times for Web Mail, POP, IMAP and other stuff.

You can also change the user's password and then check the Warning log. If the "spy" tries to log in, you would see something like

HTTP/WebMail: Invalid password for user xxx<_a.t_>xxx.net. Attempt from IP address xxx.xxx.xxx.xxx



Very good. Thanks a lot!!
Previous Topic: AD Groups expanded to zero recipients ==> Can't mail them
Next Topic: Need strategy to switch server machines
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Sat Sep 23 05:38:04 CEST 2017

Total time taken to generate the page: 0.00422 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.