How to log webmail activity?

Discussions on webmail and the Professional version.
paarlberg
Posts: 1071
Joined: Tue Mar 02, 2004 7:33 pm
Location: Atlanta, GA, USA

How to log webmail activity?

Post by paarlberg »

I am trying to investigate a security breach of one of my hosted clients and it appears that the breach was via webmail. I am trying to find when it occured and from where it was done. To do this, I need to find the webmail logs to pull the requesting IP, etc..

I have looked under the IIS site logs and the ME logs but I can't find the specific info for the webmail logs.
Last edited by paarlberg on Thu Mar 02, 2006 6:39 pm, edited 1 time in total.

MailEnable
Site Admin
Posts: 4441
Joined: Tue Jun 25, 2002 3:03 am
Location: Melbourne, Victoria Australia

Post by MailEnable »

The page requests themselves should be in the IIS Logs for the web site that was serving the customer web site and /mewebmail alias.

MailEnable has its own logging at a user level, but this is not enabled by default. The typical location for MailEnable's logging is:

C:\Program Files\Mail Enable\Logging\WebMail
Regards, Andrew

paarlberg
Posts: 1071
Joined: Tue Mar 02, 2004 7:33 pm
Location: Atlanta, GA, USA

Post by paarlberg »

Is the webmail logging activated via the registry?

paarlberg
Posts: 1071
Joined: Tue Mar 02, 2004 7:33 pm
Location: Atlanta, GA, USA

Post by paarlberg »

Where can this be enabled? I looked in the registry and there is not a key for logging. It is also not available in the webmail properties.

This is an urgent need to guarantee that we are able to have true accountability for our users.

paarlberg
Posts: 1071
Joined: Tue Mar 02, 2004 7:33 pm
Location: Atlanta, GA, USA

Post by paarlberg »

My client is requiring that this be turned on for future investigations. They need to be able to pinpoint who logged on to webmail and from where, either by IP or workstation as it is in the POP and other logs.

ME, please advise how to enable this and what data will be included in the webmail logs.

paarlberg
Posts: 1071
Joined: Tue Mar 02, 2004 7:33 pm
Location: Atlanta, GA, USA

Post by paarlberg »

I used the line that enabled the webmail logging in Enterprise to try to get the logging working on ME Pro, it doesn't work. Below is the registry info I have..

Code: Select all

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Mail Enable\Mail Enable\Services\WEBMAIL\Options]
"PreviewHTML"=dword:00000001
"Mailbox Redirection"=dword:00000000
"Auto Response"=dword:00000001
"Wrap at character"=dword:00000064
"DisplayImagesInline"=dword:00000001
"POP Retrieval"=dword:00000000
"CanEditDisplayName"=dword:00000001
"UseDisplayName"=dword:00000000
"MessagesPerPage"=dword:0000000f
"MessageListSize"=dword:0000010e
"Login Details"=dword:00000001
"Hyperlinks"=dword:00000000
"Default Timezone"="South Africa Standard Time"
"Default Characterset"="US-ASCII"
"Logging Status"=dword:00000001
"Log Events"="1,2,3,4,5,6,7,8,9"
Below is the info on the ME Ent. system

Code: Select all

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Mail Enable\Mail Enable\Services\WEBMAIL\Options]
"PreviewHTML"=dword:00000001
"Mailbox Redirection"=dword:00000000
"Auto Response"=dword:00000001
"Wrap at character"=dword:00000064
"DisplayImagesInline"=dword:00000001
"POP Retrieval"=dword:00000000
"CanEditDisplayName"=dword:00000001
"UseDisplayName"=dword:00000000
"MessagesPerPage"=dword:0000000f
"MessageListSize"=dword:0000010e
"Login Details"=dword:00000001
"DefaultBase"="enterprise"
"Filtering"=dword:00000001
"Index Files Enabled"=dword:00000001
"NotificationStatus"=dword:00000001
"PollFrequency"=dword:00007530
"Show Usage"=dword:00000001
"Directory"=dword:00000000
"Public Folders Enabled"=dword:00000000
"Filter Limit"=dword:0000000a
"Default Characterset"="US-ASCII"
"Hyperlinks"=dword:00000001
"Calendaring Enabled"=dword:00000001
"Default Timezone"="Dateline Standard Time"
"Logging Status"=dword:00000001
"Log Events"="1,2,3,4,5,6,7,8,9"

paarlberg
Posts: 1071
Joined: Tue Mar 02, 2004 7:33 pm
Location: Atlanta, GA, USA

Post by paarlberg »

:?: :?

paarlberg
Posts: 1071
Joined: Tue Mar 02, 2004 7:33 pm
Location: Atlanta, GA, USA

Post by paarlberg »

ME do you have any suggestions?

paarlberg
Posts: 1071
Joined: Tue Mar 02, 2004 7:33 pm
Location: Atlanta, GA, USA

Post by paarlberg »

Anyone have any suggestions?

nwelshans
Posts: 50
Joined: Wed Aug 17, 2005 3:27 am

Post by nwelshans »

Seconded.

Have you tested Beta 2.0 to see if its fixed in that release

paarlberg
Posts: 1071
Joined: Tue Mar 02, 2004 7:33 pm
Location: Atlanta, GA, USA

Post by paarlberg »

Not yet.. might have to do that..

paarlberg
Posts: 1071
Joined: Tue Mar 02, 2004 7:33 pm
Location: Atlanta, GA, USA

Post by paarlberg »

ME people?

paarlberg
Posts: 1071
Joined: Tue Mar 02, 2004 7:33 pm
Location: Atlanta, GA, USA

Post by paarlberg »

BUMP

MailEnable
Site Admin
Posts: 4441
Joined: Tue Jun 25, 2002 3:03 am
Location: Melbourne, Victoria Australia

Post by MailEnable »

Pro Edition Webmail does not support activity logging (thats why its not configurable by the MMC). There is likely to be some unforseeable issues in attempting to hack the registry in getting this working.

The current Pro webmail only provides logging though IIS logging - which will tell you the IP address of whoever connected and what page was accessed, etc. It does not contain details as to who logged in to the mailbox.

It is definitely not advisable to jerry-rig the registry to try to get it to work.

I have raised an internal suggestion to have the logging available for the version 2 Pro and Ent edition webmails.
Regards, Andrew

paarlberg
Posts: 1071
Joined: Tue Mar 02, 2004 7:33 pm
Location: Atlanta, GA, USA

Post by paarlberg »

Thank you..

Post Reply