Hi, >> I'm trying to understand how the logins work: >> >> Oct 2 09:22:28 [LOGIN] user1 (example.com) from 162.225.108.50: >> Oct 2 09:51:23 [LOGIN] user1 (example.com) from 162.225.108.50: >> Oct 2 10:15:23 [LOGIN] user1 (example.com) from 162.225.108.50: >> Oct 2 10:33:47 [LOGIN] user1 (example.com) from 162.225.108.50: >> Oct 2 10:51:06 [LOGIN] user1 (example.com) from 162.225.108.50: >> Oct 2 11:59:54 [LOGIN] user1 (example.com) from 162.225.108.50: >> Oct 2 12:32:32 [LOGIN] user1 (example.com) from 162.225.108.50: >> >> There were no LOGOUT entries between each of these. How can I >> determine what the typical "login" or "session" would be, not when >> apparently the imap client logged in? >> >> In other words, are these actual logins, or periodic checks by the >> underlying IMAP client (dovecot)? > > Your understanding should be correct. Actual IMAP logins happen once or > more per page view. There will be many more of those. Your user above is > displaying strange behavior. If you find that the user isn't actually > logging in at those times, I could look around the code. This user's account was hacked. This is part of an investigation into whether webmail was one of the sources of this hack. We know submission was involved, but did not think webmail was a source as well. Thanks, Alex ------------------------------------------------------------------------------ Developer Access Program for Intel Xeon Phi Processors Access to Intel Xeon Phi processor-based developer platforms. With one year of Intel Parallel Studio XE. Training and support from Colfax. Order your platform today. http://sdm.link/xeonphi ----- squirrelmail-users mailing list Posting guidelines: http://squirrelmail.org/postingguidelines List address: squirrelmail-users@xxxxxxxxxxxxxxxxxxxxx List archives: http://news.gmane.org/gmane.mail.squirrelmail.user List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
