Strange bandwidth usage by user - from pop3

Starcraftmazter

Well-Known Member
May 5, 2006
51
0
156
Hello

One of my users is getting incredibly strange bandwidth usage this month. Many gigabytes are apparently being taken up by pop3. This user has no idea why this is, or what is going on. He also happens to be a trustworthy friend, so I know he isn't lying.

Awstats reports only around 80MBs usage, probably because it doesn't measure pop3 bandwidth usage. cPanel however reports substantial pop3 bandwidth usage.

The user has a total of two email accounts, both of which have well under 1MB of content inside them, and are nothing new - and have not caused problems in the past.

Here is this month's bandwidth log from cPanel's bandwidth usage.




Can anyone shed light on what the heck is going on here?

Thanks.
 

stdout

Well-Known Member
Apr 10, 2003
189
7
168
Nelspruit, Mpumalanga, South Africa
cPanel Access Level
Root Administrator
Just a hypothetical - maybe your user is downloading large emails or connecting way too frequently?
Perhaps it's another user's account on the same domain which is the culprit?

I would start by checking how many bytes he/she is receiving per POP3 connection and to also find out how frequent he/she is accessing the mail service..

This should help - give the below command a shot:
Code:
grep [email protected] /var/log/maillog | grep retr= | awk {'print $7" "$1" "$2" "$3" "$11'} | grep -v retr=0
 
  • Like
Reactions: cesarlopes

Starcraftmazter

Well-Known Member
May 5, 2006
51
0
156
Hello, and thanks for replying.

As far as I have been told, the user is not downloading large emails or connecting frequently, as he has investigated this on his end to a high degree.

How would I go about checking whether there is another user who has an email on his domain? Would this be even possible?

As to the command you suggested, here is the output for both of the email accounts under that user.

Code:
[[email protected] ~]# grep [email protected] /var/log/maillog | grep retr= | awk {'print $7" "$1" "$2" "$3" "$11'} | grep -v retr=0
[email protected], Nov 30 13:29:02 retr=11120,
[email protected], Nov 30 13:29:06 retr=24571,
[email protected], Nov 30 19:06:50 retr=9846,
[email protected], Nov 30 19:12:18 retr=46345,
[[email protected] ~]# grep [email protected] /var/log/maillog | grep retr= | awk {'print $7" "$1" "$2" "$3" "$11'} | grep -v retr=0
[email protected], Nov 30 13:30:17 retr=6636114,
[[email protected] ~]#
Thanks!
 

stdout

Well-Known Member
Apr 10, 2003
189
7
168
Nelspruit, Mpumalanga, South Africa
cPanel Access Level
Root Administrator
As to the command you suggested, here is the output for both of the email accounts under that user.

Code:
[[email protected] ~]# grep [email protected] /var/log/maillog | grep retr= | awk {'print $7" "$1" "$2" "$3" "$11'} | grep -v retr=0
[email protected], Nov 30 13:29:02 retr=11120,
[email protected], Nov 30 13:29:06 retr=24571,
[email protected], Nov 30 19:06:50 retr=9846,
[email protected], Nov 30 19:12:18 retr=46345,
[[email protected] ~]# grep [email protected] /var/log/maillog | grep retr= | awk {'print $7" "$1" "$2" "$3" "$11'} | grep -v retr=0
[email protected], Nov 30 13:30:17 retr=6636114,
[[email protected] ~]#
Thanks!
Here's the command:
Code:
grep philonthe.net /var/log/maillog | grep retr= | awk {'print $7" "$1" "$2" "$3" "$11'} | grep -v retr=0
PS. I see "[email protected]" is downloading fairly large emails.
That was just for "Nov 30th", he has probably been downloading the whole month.

Uncompress the previously saved "/var/log/maillog.1.gz" as it was rotated and grep in that log.
Code:
gunzip /var/log/maillog.1*; grep [email protected] /var/log/maillog.1 | grep retr= | awk {'print $7" "$1" "$2" "$3" "$11'} | grep -v retr=0
 

Starcraftmazter

Well-Known Member
May 5, 2006
51
0
156
Alrighty,

Code:
[[email protected] log]# grep [email protected] /var/log/maillog.1 | grep retr= | awk {'print $7" "$1" "$2" "$3" "$11'} | grep -v retr=0
[email protected], Nov 28 11:54:56 retr=39892553,
[email protected], Nov 29 11:53:44 retr=12669,
[email protected], Nov 29 11:55:50 retr=755481,
Here's one on the whole domain
Code:
[[email protected] log]# grep philonthe.net /var/log/maillog.1 | grep retr= | awk {'print $7" "$1" "$2" "$3" "$11'} | grep -v retr=0
[email protected], Nov 23 04:37:50 retr=10128,
[email protected], Nov 23 12:37:04 retr=55246,
[email protected], Nov 23 18:19:56 retr=79388,
[email protected], Nov 24 05:19:07 retr=29794,
[email protected], Nov 24 14:33:55 retr=41059,
[email protected], Nov 25 09:50:33 retr=33954,
[email protected], Nov 25 18:31:38 retr=99272,
[email protected], Nov 25 23:17:44 retr=141516,
[email protected], Nov 26 07:37:38 retr=22433,
[email protected], Nov 26 13:42:38 retr=13105,
[email protected], Nov 26 14:35:38 retr=7080,
[email protected], Nov 26 18:33:01 retr=63092,
[email protected], Nov 26 23:15:51 retr=123701,
[email protected], Nov 27 01:39:30 retr=76311,
[email protected], Nov 27 07:24:02 retr=19018,
[email protected], Nov 27 10:18:58 retr=13267,
[email protected], Nov 27 14:54:36 retr=44757,
[email protected], Nov 27 17:49:45 retr=3917,
[email protected], Nov 28 10:19:18 retr=1903,
[email protected], Nov 28 10:19:54 retr=142273,
[email protected], Nov 28 10:33:53 retr=967,
[email protected], Nov 28 11:54:56 retr=39892553,
[email protected], Nov 28 19:09:05 retr=9369,
[email protected], Nov 29 07:19:59 retr=176936,
[email protected], Nov 29 07:56:44 retr=21205,
[email protected], Nov 29 07:57:32 retr=183920,
[email protected], Nov 29 11:53:44 retr=12669,
[email protected], Nov 29 11:55:50 retr=755481,
If I understand correctly, these numbers represent bytes, do they not? In which case, the totals for the 28th of November still don't come close to the 5.5 GBs displayed in cPanel's bandwidth log.

So what's going on here :confused:

Cheers
 

stdout

Well-Known Member
Apr 10, 2003
189
7
168
Nelspruit, Mpumalanga, South Africa
cPanel Access Level
Root Administrator
That's right. It's in bytes - but look at those dates again.
The logs are only from Nov 23rd - 30th. You're missing 23 more days of POP3 bandwidth consumption :eek:

It is clear that these 2 email accounts are downloading substantial amounts of emails and data.
I imagine with this constant downloading, it may easily incur 5GB/monthly POP3 traffic.

Do the same thing again and gunzip /var/log/maillog.2.gz and then another grep.
 

Starcraftmazter

Well-Known Member
May 5, 2006
51
0
156
I'm not following.

The monthly pop3 usage is not 5GBs, it is 9.4GBs. If you have a look at the picture in my OP, it cPanel claims 5.5GBs bandwidth usage through pop3 on the 28th of November alone, but the logs do not back this up.

How can this be explained?

More logs coming in a min.
 

stdout

Well-Known Member
Apr 10, 2003
189
7
168
Nelspruit, Mpumalanga, South Africa
cPanel Access Level
Root Administrator
How can this be explained?
More logs coming in a min.
You got me curious myself - The logs prove it all.
I am waiting in anticipation. :)

PS. You may as well do a gunzip /var/log/maillog*.gz and then a:
Code:
grep philonthe.net /var/log/maillog* | grep retr= | awk {'print $7" "$1" "$2" "$3" "$11'} | grep -v retr=0
 

Starcraftmazter

Well-Known Member
May 5, 2006
51
0
156
Alright, here we go:

Unfortunately the full logs were 1,000 characters too long, so I put them here.

According to my calculation script, the grand total is 66270537, which is about 63MiB.

:confused::confused::confused:

Cheers
 

Starcraftmazter

Well-Known Member
May 5, 2006
51
0
156
That's pretty cool, got the same (well, very similar) number though :D

Code:
[[email protected] public_html]# grep philonthe.net /var/log/maillog* | grep retr= | grep -v retr=0 | awk {'print $11'} | cut -d, -f1 | cut -d= -f2 | awk '{t += $1} END { print "total: ", t, " bytes transferred over POP3"}'
total:  66280694  bytes transferred over POP3
 

stdout

Well-Known Member
Apr 10, 2003
189
7
168
Nelspruit, Mpumalanga, South Africa
cPanel Access Level
Root Administrator
Here's a command for the "cool books" which I cooked up.
The command will give you the total bytes transferred.

grep philonthe.net /var/log/maillog* | grep retr= | grep -v retr=0 | awk {'print $11'} | cut -d, -f1 | cut -d= -f2 | awk '{t += $1} END { print "total: ", t, " bytes transferred over POP3"}'
 

stdout

Well-Known Member
Apr 10, 2003
189
7
168
Nelspruit, Mpumalanga, South Africa
cPanel Access Level
Root Administrator
Wow, how did that post ordering occur =/
Ok. It's safe to conclude that something is "amiss". You'll need to contact cPanel with the findings and see whether its a bug or if we're missing something.


[email protected] [~]# cat xx | awk {'print $5'} | cut -d, -f1 | cut -d= -f2 | awk '{t += $1} END { print "total: ", t /1024 /1024, " megabytes"}'
total: 63.2102 megabytes
 

hightekhosting

Active Member
Aug 12, 2007
27
0
51
Abnormal Bandwidth Usage / Incorrect Usage

Hello all,

Before I go into detail, I must advise that we have opened a ticket with cPanel, however, as they have a high load of tickets at the moment, I thought I may put this out for discussion as someone else on the forums may have an idea on how to fix this issue.

Since upgrading to the latest cPanel RELEASE, one of the resellers on one of our servers has had very rapidly increasing bandwidth usage with some accounts being suspended.

Normally, these accounts would be using around 1-2GB a month or less and have suddenly
gone to 14GB...quite a large jump indeed.

In particular, all accounts owned by the reseller are having the bandwidth
reported what they believe is incorrectly.

We are given the idea that they are incorrect as when we process stats manually for the account via WHM, the usage almost adds another GB or 2 of bandwidth used, and this is done in less than a few minutes after unsuspending.

If anybody has any ideas they could share, it would be greatly appreciated.

Regards,

Hightek Hosting Support
 

hightekhosting

Active Member
Aug 12, 2007
27
0
51
Hi Nick,

Thanks for your response :)

Ticket No#: 350253

I really look forward to a resolution soon.

Regards,

Dale E
 

cPanelNick

Administrator
Staff member
Mar 9, 2015
3,482
35
208
cPanel Access Level
DataCenter Provider
Yep?

It is indeed (message too short).
There appears to be a race condition with vzfs (it may not be limited to vzfs, but we haven't seen it on any other systems as of yet) that causes tell() to return a point that is outside the log file (which should not be possible) when there are a significant? amount of writes to the log file. This in turn causes tailwatchd to reopen the log file and reprocess it from the start because it thinks the log file has been replaced with a new file (by logrotate).

We have developed a work-around for this problem. If you would like to try it please open a ticket with "ATTN: Nick" in the subject and post the # here.

Thanks
-Nick