Massive POP3 Bandwidth - Stuck in a Loop

[jethrodesign]

Hi, we have one client who saw a giant increase in bandwidth last week, and it is all showing as traffic from POP3. It's averaging 7+GB/day, where previously it was 40MB/day! Everything else is normal (which is very low).

I found out that the day the traffic spiked the client had setup a new account at Outlook.com and set it to check her domain email using POP3. Previously, she had used an Outlook desktop client on her computer using IMAP. She does have a lot of stored emails with some sizable attachments.

So wondering if the account on Outlook.com could be stuck in some sort of a 'download loop?!?' She still has her email on the server when she checks via desktop Outlook.

She tried to disable the account in Outlook.com, but was not able to login using the email and password she setup. She eventually was able to get support staff to help her, but they just setup a new account using the same info and said that IT WOULD OVERRIDE THE PREVIOUS account (think they were only able to find it using her phone number). So there's some weirdness trying to get to that account she setup.

- Is there anything I can do from the WHM/cPanel side of things to stop this one particular run-away POP3 account without disabling email altogether??

Obviously, would be important not to lose her email in the process.

- Could this be some sort of malicious behavior that would cause such a huge spike in POP3 traffic?

Thanks!

 

[cPanelMichael]

Hello

This seems like an issue with the POP3 email client, as it continues to download the messages. Has the user tried reporting the issue to Outlook to determine if there are any settings they can adjust in their email client to correct the problem? There's a thread here that should help you verify that it's this specific user downloading the messages via POP3 that's the culprit:

Tracking Down Excessive POP3 Usage

Thank you.

 

[jethrodesign]

Hello

This seems like an issue with the POP3 email client, as it continues to download the messages. Has the user tried reporting the issue to Outlook to determine if there are any settings they can adjust in their email client to correct the problem? There's a thread here that should help you verify that it's this specific user downloading the messages via POP3 that's the culprit:

Tracking Down Excessive POP3 Usage

Thank you.

Hi Michael,
Thanks for the response. I read through the other thread and ran the command that was given (sorry, I'm not very experienced with SSH/Command Line). Here's the results that were given:

total:  63699761019  bytes transferred over POP3

I'm not sure what time-frame this is indicating, but it does show 63GB for this domain over POP3. Typical monthly bandwidth for this account (including POP3, IMAP, HTTP, etc) is 1-2GB. And as the traffic spike coincided with the change that the main user I spoke with made regarding checking email, I would have to assume it's her email that is the issue.

As mentioned, she had setup Outlook.com (not a desktop Outlook client) to check her email via POP3. Her mailbox storage is showing at almost 500MB in cPanel, so there's got to be a fair amount of sizable attachments. So should we assume that the Outlook.com app is just repeatedly downloading all of her email?!?

I can have her try to contact MS support again, but as mentioned, they had just setup a new account using her same phone number and a different email account (the one that is causing issues), as they said this SHOULD overwrite anything that had been setup before and stop the account checking. Obviously, this didn't work, which makes me worried that there's a rogue app stuck in a loop that nobody can actually find...

- Is there nothing I can do from WHM/cPanel to break this loop???

Thanks!

 

[jethrodesign]

Hi, just wanted to check-in here to see if anyone has any 'creative' ideas on how to block this run-away POP3 account without disrupting the email system altogether?

I don't think the client is getting very far with MS Support, and the bandwidth is now growing exponentially every day (it was up to 15.5GB yesterday!!).

Thanks.

 

[cPanelMichael]

Hello,

Have you tried having the user switch to an alternate email client temporarily just to narrow down the cause of the issue to the Outlook service? You could see if the bandwidth goes back down to normal usage during this test period.

Thank you.

 

[jethrodesign]

Hi, thanks for the reply. It didn't matter what email client she was using, as she was actually using 2 alternate desktop version of Outlook (on 2 laptops). It was just the rogue Outlook.com account, which could not be located, which was causing the issue. MS Support was not able to help, but stated they've seen this happen before and were thinking that after 30 days or so of inactivity, the account would be disabled.

HOWEVER, we found that sometimes the most obvious idea is the hardest to see - we had her change her email account password. The rogue account could no longer access her email, and thus stopped the run-away download loop!

Thanks for the help here, though! Hopefully this odd anomaly won't happen to anyone else, and if it does, they'll think about changing password sooner than we did ; )

 

[gryzli]

I was going to suggest you the same, before reading your last post

Now you could even track down the "bad" IP whch is trying to connect with wrong credentials, and this could help for future troubleshooting and finding the problematic source.

Hi, thanks for the reply. It didn't matter what email client she was using, as she was actually using 2 alternate desktop version of Outlook (on 2 laptops). It was just the rogue Outlook.com account, which could not be located, which was causing the issue. MS Support was not able to help, but stated they've seen this happen before and were thinking that after 30 days or so of inactivity, the account would be disabled.

HOWEVER, we found that sometimes the most obvious idea is the hardest to see - we had her change her email account password. The rogue account could no longer access her email, and thus stopped the run-away download loop!

Thanks for the help here, though! Hopefully this odd anomaly won't happen to anyone else, and if it does, they'll think about changing password sooner than we did ; )

 

[chocadv]

I have experienced a similar experience with our site normally showing a Pop3 bandwidth of 1GB per month, however is showing 100GB over the last three days. This also occurred towards the end of last month and I changed our cPanel password then, and saw no extraordinary action for a week. Changing the password today has brought traffic back to normal, so I'll keep checking daily. Our server is LiquidWeb who were unable to give me a solution. We have many email accounts and to ask all users to change passwords is a little frightening. I am interested in knowing how to track down the "bad" IP mentioned in Gryzli's post.

 

[gryzli]

Finding the "bad ip" after you have the password changed, must be pretty straight forward.
We can assume that the "bad ip " or the "bad client" will continue to try to login with the wrong credentials, which will generate authentication failures in /var/log/maillog and cphulk also.
Grepping the maillog is pretty straight forward. Here is an example if you use Dovecot:

grep pop3 /var/log/maillog | grep "auth failed" | grep "[email protected]"

In the resulting lines from grep, you will see the accessing IP in the "rip=XXX.XXX.XXX.XXX" field.

Then you could make additional whois on the IP in order to find some more info about it.

 

[cPanelMichael]

HOWEVER, we found that sometimes the most obvious idea is the hardest to see - we had her change her email account password. The rogue account could no longer access her email, and thus stopped the run-away download loop!

Thanks for the help here, though! Hopefully this odd anomaly won't happen to anyone else, and if it does, they'll think about changing password sooner than we did ; )

I'm happy to see you were able to find a suitable resolution. Thank you for taking the time to update this thread with the outcome.