Strange bandwidth usage by user - from pop3

[Starcraftmazter]

Hello

One of my users is getting incredibly strange bandwidth usage this month. Many gigabytes are apparently being taken up by pop3. This user has no idea why this is, or what is going on. He also happens to be a trustworthy friend, so I know he isn't lying.

Awstats reports only around 80MBs usage, probably because it doesn't measure pop3 bandwidth usage. cPanel however reports substantial pop3 bandwidth usage.

The user has a total of two email accounts, both of which have well under 1MB of content inside them, and are nothing new - and have not caused problems in the past.

Here is this month's bandwidth log from cPanel's bandwidth usage.




Can anyone shed light on what the heck is going on here?

Thanks.

[stdout]

Just a hypothetical - maybe your user is downloading large emails or connecting way too frequently?
Perhaps it's another user's account on the same domain which is the culprit?

I would start by checking how many bytes he/she is receiving per POP3 connection and to also find out how frequent he/she is accessing the mail service..

This should help - give the below command a shot:

Code:

grep username@userdomain.com /var/log/maillog | grep retr= | awk {'print $7" "$1" "$2" "$3" "$11'} | grep -v retr=0

[Starcraftmazter]

Hello, and thanks for replying.

As far as I have been told, the user is not downloading large emails or connecting frequently, as he has investigated this on his end to a high degree.

How would I go about checking whether there is another user who has an email on his domain? Would this be even possible?

As to the command you suggested, here is the output for both of the email accounts under that user.

Code:

[root@tesla ~]# grep phil@staff.philonthe.net /var/log/maillog | grep retr= | awk {'print $7" "$1" "$2" "$3" "$11'} | grep -v retr=0
user=phil@staff.philonthe.net, Nov 30 13:29:02 retr=11120,
user=phil@staff.philonthe.net, Nov 30 13:29:06 retr=24571,
user=phil@staff.philonthe.net, Nov 30 19:06:50 retr=9846,
user=phil@staff.philonthe.net, Nov 30 19:12:18 retr=46345,
[root@tesla ~]# grep j.hawthorne@philonthe.net /var/log/maillog | grep retr= | awk {'print $7" "$1" "$2" "$3" "$11'} | grep -v retr=0
user=j.hawthorne@philonthe.net, Nov 30 13:30:17 retr=6636114,
[root@tesla ~]#

Thanks!

[stdout]

As to the command you suggested, here is the output for both of the email accounts under that user.

Code:

[root@tesla ~]# grep phil@staff.philonthe.net /var/log/maillog | grep retr= | awk {'print $7" "$1" "$2" "$3" "$11'} | grep -v retr=0
user=phil@staff.philonthe.net, Nov 30 13:29:02 retr=11120,
user=phil@staff.philonthe.net, Nov 30 13:29:06 retr=24571,
user=phil@staff.philonthe.net, Nov 30 19:06:50 retr=9846,
user=phil@staff.philonthe.net, Nov 30 19:12:18 retr=46345,
[root@tesla ~]# grep j.hawthorne@philonthe.net /var/log/maillog | grep retr= | awk {'print $7" "$1" "$2" "$3" "$11'} | grep -v retr=0
user=j.hawthorne@philonthe.net, Nov 30 13:30:17 retr=6636114,
[root@tesla ~]#

Thanks!

Here's the command:

Code:

grep philonthe.net /var/log/maillog | grep retr= | awk {'print $7" "$1" "$2" "$3" "$11'} | grep -v retr=0

PS. I see "j.hawthorne@philonthe.net" is downloading fairly large emails.
That was just for "Nov 30th", he has probably been downloading the whole month.

Uncompress the previously saved "/var/log/maillog.1.gz" as it was rotated and grep in that log.

Code:

gunzip /var/log/maillog.1*; grep j.hawthorne@philonthe.net /var/log/maillog.1 | grep retr= | awk {'print $7" "$1" "$2" "$3" "$11'} | grep -v retr=0

[Starcraftmazter]

Alrighty,

Code:

[root@tesla log]# grep j.hawthorne@philonthe.net /var/log/maillog.1 | grep retr= | awk {'print $7" "$1" "$2" "$3" "$11'} | grep -v retr=0
user=j.hawthorne@philonthe.net, Nov 28 11:54:56 retr=39892553,
user=j.hawthorne@philonthe.net, Nov 29 11:53:44 retr=12669,
user=j.hawthorne@philonthe.net, Nov 29 11:55:50 retr=755481,

Here's one on the whole domain

Code:

[root@tesla log]# grep philonthe.net /var/log/maillog.1 | grep retr= | awk {'print $7" "$1" "$2" "$3" "$11'} | grep -v retr=0
user=phil@staff.philonthe.net, Nov 23 04:37:50 retr=10128,
user=phil@staff.philonthe.net, Nov 23 12:37:04 retr=55246,
user=phil@staff.philonthe.net, Nov 23 18:19:56 retr=79388,
user=phil@staff.philonthe.net, Nov 24 05:19:07 retr=29794,
user=phil@staff.philonthe.net, Nov 24 14:33:55 retr=41059,
user=phil@staff.philonthe.net, Nov 25 09:50:33 retr=33954,
user=phil@staff.philonthe.net, Nov 25 18:31:38 retr=99272,
user=phil@staff.philonthe.net, Nov 25 23:17:44 retr=141516,
user=phil@staff.philonthe.net, Nov 26 07:37:38 retr=22433,
user=phil@staff.philonthe.net, Nov 26 13:42:38 retr=13105,
user=phil@staff.philonthe.net, Nov 26 14:35:38 retr=7080,
user=phil@staff.philonthe.net, Nov 26 18:33:01 retr=63092,
user=phil@staff.philonthe.net, Nov 26 23:15:51 retr=123701,
user=phil@staff.philonthe.net, Nov 27 01:39:30 retr=76311,
user=phil@staff.philonthe.net, Nov 27 07:24:02 retr=19018,
user=phil@staff.philonthe.net, Nov 27 10:18:58 retr=13267,
user=phil@staff.philonthe.net, Nov 27 14:54:36 retr=44757,
user=phil@staff.philonthe.net, Nov 27 17:49:45 retr=3917,
user=phil@staff.philonthe.net, Nov 28 10:19:18 retr=1903,
user=phil@staff.philonthe.net, Nov 28 10:19:54 retr=142273,
user=phil@staff.philonthe.net, Nov 28 10:33:53 retr=967,
user=j.hawthorne@philonthe.net, Nov 28 11:54:56 retr=39892553,
user=phil@staff.philonthe.net, Nov 28 19:09:05 retr=9369,
user=phil@staff.philonthe.net, Nov 29 07:19:59 retr=176936,
user=phil@staff.philonthe.net, Nov 29 07:56:44 retr=21205,
user=phil@staff.philonthe.net, Nov 29 07:57:32 retr=183920,
user=j.hawthorne@philonthe.net, Nov 29 11:53:44 retr=12669,
user=j.hawthorne@philonthe.net, Nov 29 11:55:50 retr=755481,

If I understand correctly, these numbers represent bytes, do they not? In which case, the totals for the 28th of November still don't come close to the 5.5 GBs displayed in cPanel's bandwidth log.

So what's going on here

Cheers

[stdout]

That's right. It's in bytes - but look at those dates again.
The logs are only from Nov 23rd - 30th. You're missing 23 more days of POP3 bandwidth consumption

It is clear that these 2 email accounts are downloading substantial amounts of emails and data.
I imagine with this constant downloading, it may easily incur 5GB/monthly POP3 traffic.

Do the same thing again and gunzip /var/log/maillog.2.gz and then another grep.

[Starcraftmazter]

I'm not following.

The monthly pop3 usage is not 5GBs, it is 9.4GBs. If you have a look at the picture in my OP, it cPanel claims 5.5GBs bandwidth usage through pop3 on the 28th of November alone, but the logs do not back this up.

How can this be explained?

More logs coming in a min.

[stdout]

How can this be explained?
More logs coming in a min.

You got me curious myself - The logs prove it all.
I am waiting in anticipation.

PS. You may as well do a gunzip /var/log/maillog*.gz and then a:

Code:

grep philonthe.net /var/log/maillog* | grep retr= | awk {'print $7" "$1" "$2" "$3" "$11'} | grep -v retr=0

[Starcraftmazter]

Alright, here we go:

Unfortunately the full logs were 1,000 characters too long, so I put them here.

According to my calculation script, the grand total is 66270537, which is about 63MiB.



Cheers

[Starcraftmazter]

That's pretty cool, got the same (well, very similar) number though

Code:

[root@tesla public_html]# grep philonthe.net /var/log/maillog* | grep retr= | grep -v retr=0 | awk {'print $11'} | cut -d, -f1 | cut -d= -f2 | awk '{t += $1} END { print "total: ", t, " bytes transferred over POP3"}'
total:  66280694  bytes transferred over POP3

[stdout]

Here's a command for the "cool books" which I cooked up.
The command will give you the total bytes transferred.

grep philonthe.net /var/log/maillog* | grep retr= | grep -v retr=0 | awk {'print $11'} | cut -d, -f1 | cut -d= -f2 | awk '{t += $1} END { print "total: ", t, " bytes transferred over POP3"}'

[Starcraftmazter]

Wow, how did that post ordering occur =/

[stdout]

Wow, how did that post ordering occur =/

Ok. It's safe to conclude that something is "amiss". You'll need to contact cPanel with the findings and see whether its a bug or if we're missing something.

nerds@cpanelnerds.com [~]# cat xx | awk {'print $5'} | cut -d, -f1 | cut -d= -f2 | awk '{t += $1} END { print "total: ", t /1024 /1024, " megabytes"}'
total: 63.2102 megabytes

[Starcraftmazter]

Alright, thanks for your help!

[hightekhosting]

Hello all,

Before I go into detail, I must advise that we have opened a ticket with cPanel, however, as they have a high load of tickets at the moment, I thought I may put this out for discussion as someone else on the forums may have an idea on how to fix this issue.

Since upgrading to the latest cPanel RELEASE, one of the resellers on one of our servers has had very rapidly increasing bandwidth usage with some accounts being suspended.

Normally, these accounts would be using around 1-2GB a month or less and have suddenly
gone to 14GB...quite a large jump indeed.

In particular, all accounts owned by the reseller are having the bandwidth
reported what they believe is incorrectly.

We are given the idea that they are incorrect as when we process stats manually for the account via WHM, the usage almost adds another GB or 2 of bandwidth used, and this is done in less than a few minutes after unsuspending.

If anybody has any ideas they could share, it would be greatly appreciated.

Regards,

Hightek Hosting Support