Topic: Mailog question

[Dan Williams]

Hello,
We lost use of our mail the other day so I started poking around in the logs.
The log I was reviewing is "mailog.20030522011203"
The reason for this post, is a the the tail end of this log there are two entries dated May 28 09:14:53 by a user that is not even in our dealership right now. The part that concerns me even further is that it also shows the IP Address 10.58.48.111, and I know who uses the workstation, and questioned him, and he insists he did not try to log in as that user.
The last two lines are all that are in the log, the lines above that are from a valid date when the user was actually here.
Can anyone please explain what you see happening here as per this log.?
Why are the ones from the 26th showing as localhost, and the last two lines as IP of another users workstation 10.58.48.11?

May 26 16:58:55 cdmerlin imapd[951]: Authenticated user=christie host=localhost [127.0.0.1]
May 26 16:58:55 cdmerlin imapd[953]: Login user=christie host=localhost [127.0.0.1]
May 26 16:58:55 cdmerlin imapd[951]: Logout user=christie host=localhost [127.0.0.1]
May 26 16:58:55 cdmerlin imapd[953]: Logout user=christie host=localhost [127.0.0.1]
May 26 16:58:55 cdmerlin imapd[954]: Authenticated user=bchristie host=localhost [127.0.0.1]
May 26 16:58:55 cdmerlin imapd[954]: Logout user=christie host=localhost [127.0.0.1]
May 28 09:14:53 cdmerlin imapd[2003]: Login user=christie host=pc-00111 [10.58.48.111]
May 28 10:29:53 cdmerlin imapd[2443]: Login user=christie host=pc-00111 [10.58.48.111]

Thanks,
Dan

[Terry Brummell]

After analyzing my mail logs I'd hazzard a guess that the entries with the "host=pc-00111" is the user logging in from the workstation with an IMAP client email program, and the localhost entries are someone attempting to login as that user with IMP (or any other IMAP based web app you may have installed).  If you check the httpd access logs at the same time as the localhost entries you'll find out where the attempt is coming from.

Terry