Mailing List CGatePro@mail.stalker.com Message #102920
From: Jeff Wark <jwark@tbaytel.net>
Subject: Session-ID in logs
Date: Tue, 24 Jan 2012 11:01:57 -0500
To: CommuniGate Pro Discussions <CGatePro@mail.stalker.com>
 Message Header

Undecoded Message
Short version:
Is there any way to associate a webmail session ID [cluster based] such as
642898-X5NLTjVHRTD0FhGpaBgu-aodhhdz
with a username in the logs?

Long Version:
I have set my server [5.2.19] to log my IP address at the debug level.  When I login to the webmail, I cannot see an immediately obvious connection to the username.  I do find this:
10:48:54.504 5 HTTPC-153558 out: POST /ProxyLogin/jwark@tbaytel.net/aodhhdz.html HTTP/1.1\r\nReferer: http://mail.tbaytel.net/?restoreSessionPage=.html\r\nCookie: __utma=192908911.2112433454.1274466685.1326812208.1327419163.57; __utmc=192908911; __utmz=192908911.1327419163.57.22.utmccn=(referral)|ut
10:48:55.156 5 HTTPU-153558([10.2.26.250]) out: HTTP/1.1 301 Moved\r\nContent-Length: 577\r\nConnection: close\r\nDate: Tue, 24 Jan 2012 15:48:55 GMT\r\nContent-Type: text/html;charset=utf-8\r\nServer: CommuniGatePro/5.2.19\r\nLocation: http://mail.tbaytel.net/Session/642898-X5NLTjVHRTD0FhGpaBgu-aod

which mentions the username jwark in the HTTPC line and the session-ID in the HTTPU line [I have never seen an HTTPC entry as far as I can remember].

The reason I am asking is because one of our accounts got compromised and got our mail server listed a phishtank.com.  The URL listed there has a session-ID in it and I would like to be able to track down the account that was compromised.  Since the session ID is in the URL, I think that it could only have been valid for at most 12 hours [our session limit], but I could be wrong.  I would just like to associate it with an account.  I guess this is more of a feature request...to see a line like:
10:56:17.414 2 HTTPU-620430([1.2.3.4]) 'jwark@tbaytel.net' linked from [1.2.3.4]:61563 to [10.1.1.106]:110 with Session-ID 642898-X5NLTjVHRTD0FhGpaBgu-aodhhdz

That would give a direct link between an account and a session ID.  I also do not want to log HTTP requests at "All Info" level.  That level should be only for finding a problem and I cannot retroactively increase the log level.

As a side note, I have always found it difficult to associate webmail sessions with other events in the logs.  It is almost like there is a piece of information lacking in a record or something.  I have no problem with any SMTP/POP/IMAP, but Webmail always gives me a problem.

Thanks again.
Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster