The Security log contains information related to Kerio MailServer's security. It also contains records about all messages that failed to be delivered. The security log contains the following types of events:
Example: a message that contains a virus:
[16/Jun/2004 18:37:17] Found virus in mail from<missgold18@hotmail.com> to <support@kerio.com>:W32/Netsky.p@MM
[16/Jun/2004 18:37:17]
— the date and time when the virus was detected.
Found virus in mail
— action performed (information that the virus was found).
from <missgold18@hotmail.com>
— email address of the sender.
to <support@kerio.com>
— email address of the recipient.
W32/Netsky.p@MM
— the type of virus contained in the message.
A message with high spam score:
[16/Jun/2004 18:37:17] Message from <missgold18@hotmail.com>to <support@kerio.com> rejected by spam filter: score 9.74,threshold 5.00
[16/Jun/2004 18:37:17]
— the date and time when the message was rejected.
from <missgold18@hotmail.com>
— email address of the sender.
to <support@kerio.com>
— email address of the recipient.
rejected by spam filter
— action performed (rejection by spam filter).
score 9.74, threshold 5.00
— SpamAssassin evaluation.
This log contains information about invalid login attempts. These are usually caused by an invalid username/password or blocked IP address. The reason for a specific failed login can be found also in the Warning log (see chapter 25.5 Warning).
[13/Apr/2004 17:35:49] Failed IMAP login from 192.168.36.139,missing parameter in AUTHENTICATE header
[13/Apr/2004 17:35:49]
— the date and time of the failed login.
Failed IMAP login
— action performed (failed login attempt).
from 192.168.36.139
— IP address of the computer used for login attempt.
There are several possible reasons for login failure:
missing parameter in AUTHENTICATE header
— an incorrect or invalid header with login data has been sent,
authentication method PLAIN is disabled
— the authentication method is disabled in Kerio MailServer,
authentication method CRAM_MD5 is invalid or unknown
— Kerio MailServer is unable to perform authentication using this method,
error during authentication with method CRAM-MD5
— an error occurred during authentication, e.g. during communication with the authentication server,
authentication with method CRAM-MD5 cancelled by user
— the authentication was cancelled by the user (client),
(Failed IMAP login from 127.0.0.1), authentication method PLAIN
— the authentication of the user failed (the user does not exist, the password is incorrect, the user account in Kerio MailServer is disabled or the authentication couldn't be performed due to the lack of authentication data in Active Directory).
An example of relaying attempt:
[11/Jun/2004 00:36:07] Relay attempt from IP address61.216.46.197, mail from <wgiwknovry@hotmail.com> to<fodder@falls.igs.net> rejected
[11/Jun/2004 00:36:07]
— the date and time.
Relay attempt
— action performed (failed relaying attempt).
61.216.46.197
— IP address of the computer used for relaying attempt.
from <wgiwknovry@hotmail.com>
— email address of the sender.
to <fodder@falls.igs.net>
— email address of the recipient.
rejected
— action performed (the message was rejected).
Server overload protection — see chapter 12.2 SMTP server, section Security Options.
[16/Jun/2004 18:53:43] Directory harvest attack from213.7.0.87 detected
[16/Jun/2004 18:53:43]
— the date and time of the failed attack.
Directory harvest attack
— type of attack.
from 213.7.0.87
— IP address of the computer used for the attempt.
detected
— action performed (detected and blocked).
The sender was found in a blacklist database (ORDB, own IP address group).
[13/Apr/2004 17:44:02] IP address 212.76.71.93 found in DNSblacklist ORDB, mail from <emily.macdonald@nmc-uk.org> to<support@kerio.com>
[13/Apr/2004 17:44:02]
— the date and time when the message was received.
212.76.71.93
— IP address used for sending the message.
found in DNS blacklist ORDB
— type of action (the address was found in a database of blacklisted servers).
from <emily.macdonald@nmc-uk.org>
— email address of the sender.
to <support@kerio.com>
— email address of the recipient.
User's mobile device got lost or stolen and the administrator wiped all user data out of the device (for details, see section 36.5 Remote deletion of the device data (Wipe)).
Three types of records regarding wipe are used in the Security log. The first record informs about initiation of the wipe process. This record is always included. At this stage, the wipe process can be stopped. The second record type appears if the wipe process is stopped and cancelled. The third record is logged if the wipe process is completed successfully. The wipe is applied upon the next connection of the device to the server.
An example of a record of an initiation of the wipe process is provided below:
[22/Aug/2006 12:30:23] Device with idC588E60FCF2FB2C107FBF2ABE09CA557(user: jwayne@company.com)will be wiped out by request Admin
An example of a record of a cancellation of the wipe process is provided below:
[22/Aug/2006 12:36:51] Wiping out of the deviceC588E60FCF2FB2C107FBF2ABE09CA557 (user: jwayne@company.com)has been cancelled by Admin
The third example shows information about successful wipe-out of the data on the device:
[22/Aug/2006 12:31:11] Device C588E60FCF2FB2C107FBF2ABE09CA557(user: jwayne@company.com), connected from: 192.168.44.178has been irrecoverable wiped out