The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Strange bandwidth usage by user - from pop3

Discussion in 'General Discussion' started by Starcraftmazter, Nov 30, 2008.

  1. Starcraftmazter

    Starcraftmazter Well-Known Member

    Joined:
    May 5, 2006
    Messages:
    47
    Likes Received:
    0
    Trophy Points:
    6
    Hello

    One of my users is getting incredibly strange bandwidth usage this month. Many gigabytes are apparently being taken up by pop3. This user has no idea why this is, or what is going on. He also happens to be a trustworthy friend, so I know he isn't lying.

    Awstats reports only around 80MBs usage, probably because it doesn't measure pop3 bandwidth usage. cPanel however reports substantial pop3 bandwidth usage.

    The user has a total of two email accounts, both of which have well under 1MB of content inside them, and are nothing new - and have not caused problems in the past.

    Here is this month's bandwidth log from cPanel's bandwidth usage.

    [​IMG]


    Can anyone shed light on what the heck is going on here?

    Thanks.
     
  2. stdout

    stdout Well-Known Member

    Joined:
    Apr 10, 2003
    Messages:
    189
    Likes Received:
    5
    Trophy Points:
    18
    Location:
    Nelspruit, Mpumalanga, South Africa
    cPanel Access Level:
    Root Administrator
    Just a hypothetical - maybe your user is downloading large emails or connecting way too frequently?
    Perhaps it's another user's account on the same domain which is the culprit?

    I would start by checking how many bytes he/she is receiving per POP3 connection and to also find out how frequent he/she is accessing the mail service..

    This should help - give the below command a shot:
    Code:
    grep username@userdomain.com /var/log/maillog | grep retr= | awk {'print $7" "$1" "$2" "$3" "$11'} | grep -v retr=0
     
  3. Starcraftmazter

    Starcraftmazter Well-Known Member

    Joined:
    May 5, 2006
    Messages:
    47
    Likes Received:
    0
    Trophy Points:
    6
    Hello, and thanks for replying.

    As far as I have been told, the user is not downloading large emails or connecting frequently, as he has investigated this on his end to a high degree.

    How would I go about checking whether there is another user who has an email on his domain? Would this be even possible?

    As to the command you suggested, here is the output for both of the email accounts under that user.

    Code:
    [root@tesla ~]# grep phil@staff.philonthe.net /var/log/maillog | grep retr= | awk {'print $7" "$1" "$2" "$3" "$11'} | grep -v retr=0
    user=phil@staff.philonthe.net, Nov 30 13:29:02 retr=11120,
    user=phil@staff.philonthe.net, Nov 30 13:29:06 retr=24571,
    user=phil@staff.philonthe.net, Nov 30 19:06:50 retr=9846,
    user=phil@staff.philonthe.net, Nov 30 19:12:18 retr=46345,
    [root@tesla ~]# grep j.hawthorne@philonthe.net /var/log/maillog | grep retr= | awk {'print $7" "$1" "$2" "$3" "$11'} | grep -v retr=0
    user=j.hawthorne@philonthe.net, Nov 30 13:30:17 retr=6636114,
    [root@tesla ~]# 
    
    Thanks!
     
  4. stdout

    stdout Well-Known Member

    Joined:
    Apr 10, 2003
    Messages:
    189
    Likes Received:
    5
    Trophy Points:
    18
    Location:
    Nelspruit, Mpumalanga, South Africa
    cPanel Access Level:
    Root Administrator
    Here's the command:
    Code:
    grep philonthe.net /var/log/maillog | grep retr= | awk {'print $7" "$1" "$2" "$3" "$11'} | grep -v retr=0
    PS. I see "j.hawthorne@philonthe.net" is downloading fairly large emails.
    That was just for "Nov 30th", he has probably been downloading the whole month.

    Uncompress the previously saved "/var/log/maillog.1.gz" as it was rotated and grep in that log.
    Code:
    gunzip /var/log/maillog.1*; grep j.hawthorne@philonthe.net /var/log/maillog.1 | grep retr= | awk {'print $7" "$1" "$2" "$3" "$11'} | grep -v retr=0
     
  5. Starcraftmazter

    Starcraftmazter Well-Known Member

    Joined:
    May 5, 2006
    Messages:
    47
    Likes Received:
    0
    Trophy Points:
    6
    Alrighty,

    Code:
    [root@tesla log]# grep j.hawthorne@philonthe.net /var/log/maillog.1 | grep retr= | awk {'print $7" "$1" "$2" "$3" "$11'} | grep -v retr=0
    user=j.hawthorne@philonthe.net, Nov 28 11:54:56 retr=39892553,
    user=j.hawthorne@philonthe.net, Nov 29 11:53:44 retr=12669,
    user=j.hawthorne@philonthe.net, Nov 29 11:55:50 retr=755481,
    
    Here's one on the whole domain
    Code:
    [root@tesla log]# grep philonthe.net /var/log/maillog.1 | grep retr= | awk {'print $7" "$1" "$2" "$3" "$11'} | grep -v retr=0
    user=phil@staff.philonthe.net, Nov 23 04:37:50 retr=10128,
    user=phil@staff.philonthe.net, Nov 23 12:37:04 retr=55246,
    user=phil@staff.philonthe.net, Nov 23 18:19:56 retr=79388,
    user=phil@staff.philonthe.net, Nov 24 05:19:07 retr=29794,
    user=phil@staff.philonthe.net, Nov 24 14:33:55 retr=41059,
    user=phil@staff.philonthe.net, Nov 25 09:50:33 retr=33954,
    user=phil@staff.philonthe.net, Nov 25 18:31:38 retr=99272,
    user=phil@staff.philonthe.net, Nov 25 23:17:44 retr=141516,
    user=phil@staff.philonthe.net, Nov 26 07:37:38 retr=22433,
    user=phil@staff.philonthe.net, Nov 26 13:42:38 retr=13105,
    user=phil@staff.philonthe.net, Nov 26 14:35:38 retr=7080,
    user=phil@staff.philonthe.net, Nov 26 18:33:01 retr=63092,
    user=phil@staff.philonthe.net, Nov 26 23:15:51 retr=123701,
    user=phil@staff.philonthe.net, Nov 27 01:39:30 retr=76311,
    user=phil@staff.philonthe.net, Nov 27 07:24:02 retr=19018,
    user=phil@staff.philonthe.net, Nov 27 10:18:58 retr=13267,
    user=phil@staff.philonthe.net, Nov 27 14:54:36 retr=44757,
    user=phil@staff.philonthe.net, Nov 27 17:49:45 retr=3917,
    user=phil@staff.philonthe.net, Nov 28 10:19:18 retr=1903,
    user=phil@staff.philonthe.net, Nov 28 10:19:54 retr=142273,
    user=phil@staff.philonthe.net, Nov 28 10:33:53 retr=967,
    user=j.hawthorne@philonthe.net, Nov 28 11:54:56 retr=39892553,
    user=phil@staff.philonthe.net, Nov 28 19:09:05 retr=9369,
    user=phil@staff.philonthe.net, Nov 29 07:19:59 retr=176936,
    user=phil@staff.philonthe.net, Nov 29 07:56:44 retr=21205,
    user=phil@staff.philonthe.net, Nov 29 07:57:32 retr=183920,
    user=j.hawthorne@philonthe.net, Nov 29 11:53:44 retr=12669,
    user=j.hawthorne@philonthe.net, Nov 29 11:55:50 retr=755481,
    
    If I understand correctly, these numbers represent bytes, do they not? In which case, the totals for the 28th of November still don't come close to the 5.5 GBs displayed in cPanel's bandwidth log.

    So what's going on here :confused:

    Cheers
     
  6. stdout

    stdout Well-Known Member

    Joined:
    Apr 10, 2003
    Messages:
    189
    Likes Received:
    5
    Trophy Points:
    18
    Location:
    Nelspruit, Mpumalanga, South Africa
    cPanel Access Level:
    Root Administrator
    That's right. It's in bytes - but look at those dates again.
    The logs are only from Nov 23rd - 30th. You're missing 23 more days of POP3 bandwidth consumption :eek:

    It is clear that these 2 email accounts are downloading substantial amounts of emails and data.
    I imagine with this constant downloading, it may easily incur 5GB/monthly POP3 traffic.

    Do the same thing again and gunzip /var/log/maillog.2.gz and then another grep.
     
  7. Starcraftmazter

    Starcraftmazter Well-Known Member

    Joined:
    May 5, 2006
    Messages:
    47
    Likes Received:
    0
    Trophy Points:
    6
    I'm not following.

    The monthly pop3 usage is not 5GBs, it is 9.4GBs. If you have a look at the picture in my OP, it cPanel claims 5.5GBs bandwidth usage through pop3 on the 28th of November alone, but the logs do not back this up.

    How can this be explained?

    More logs coming in a min.
     
  8. stdout

    stdout Well-Known Member

    Joined:
    Apr 10, 2003
    Messages:
    189
    Likes Received:
    5
    Trophy Points:
    18
    Location:
    Nelspruit, Mpumalanga, South Africa
    cPanel Access Level:
    Root Administrator
    You got me curious myself - The logs prove it all.
    I am waiting in anticipation. :)

    PS. You may as well do a gunzip /var/log/maillog*.gz and then a:
    Code:
    grep philonthe.net /var/log/maillog* | grep retr= | awk {'print $7" "$1" "$2" "$3" "$11'} | grep -v retr=0
     
  9. Starcraftmazter

    Starcraftmazter Well-Known Member

    Joined:
    May 5, 2006
    Messages:
    47
    Likes Received:
    0
    Trophy Points:
    6
    Alright, here we go:

    Unfortunately the full logs were 1,000 characters too long, so I put them here.

    According to my calculation script, the grand total is 66270537, which is about 63MiB.

    :confused::confused::confused:

    Cheers
     
  10. Starcraftmazter

    Starcraftmazter Well-Known Member

    Joined:
    May 5, 2006
    Messages:
    47
    Likes Received:
    0
    Trophy Points:
    6
    That's pretty cool, got the same (well, very similar) number though :D

    Code:
    [root@tesla public_html]# grep philonthe.net /var/log/maillog* | grep retr= | grep -v retr=0 | awk {'print $11'} | cut -d, -f1 | cut -d= -f2 | awk '{t += $1} END { print "total: ", t, " bytes transferred over POP3"}'
    total:  66280694  bytes transferred over POP3
    
     
  11. stdout

    stdout Well-Known Member

    Joined:
    Apr 10, 2003
    Messages:
    189
    Likes Received:
    5
    Trophy Points:
    18
    Location:
    Nelspruit, Mpumalanga, South Africa
    cPanel Access Level:
    Root Administrator
    Here's a command for the "cool books" which I cooked up.
    The command will give you the total bytes transferred.

     
  12. Starcraftmazter

    Starcraftmazter Well-Known Member

    Joined:
    May 5, 2006
    Messages:
    47
    Likes Received:
    0
    Trophy Points:
    6
    Wow, how did that post ordering occur =/
     
  13. stdout

    stdout Well-Known Member

    Joined:
    Apr 10, 2003
    Messages:
    189
    Likes Received:
    5
    Trophy Points:
    18
    Location:
    Nelspruit, Mpumalanga, South Africa
    cPanel Access Level:
    Root Administrator
    Ok. It's safe to conclude that something is "amiss". You'll need to contact cPanel with the findings and see whether its a bug or if we're missing something.


     
  14. Starcraftmazter

    Starcraftmazter Well-Known Member

    Joined:
    May 5, 2006
    Messages:
    47
    Likes Received:
    0
    Trophy Points:
    6
    Alright, thanks for your help!
     
  15. hightekhosting

    hightekhosting Active Member

    Joined:
    Aug 12, 2007
    Messages:
    27
    Likes Received:
    0
    Trophy Points:
    1
    Abnormal Bandwidth Usage / Incorrect Usage

    Hello all,

    Before I go into detail, I must advise that we have opened a ticket with cPanel, however, as they have a high load of tickets at the moment, I thought I may put this out for discussion as someone else on the forums may have an idea on how to fix this issue.

    Since upgrading to the latest cPanel RELEASE, one of the resellers on one of our servers has had very rapidly increasing bandwidth usage with some accounts being suspended.

    Normally, these accounts would be using around 1-2GB a month or less and have suddenly
    gone to 14GB...quite a large jump indeed.

    In particular, all accounts owned by the reseller are having the bandwidth
    reported what they believe is incorrectly.

    We are given the idea that they are incorrect as when we process stats manually for the account via WHM, the usage almost adds another GB or 2 of bandwidth used, and this is done in less than a few minutes after unsuspending.

    If anybody has any ideas they could share, it would be greatly appreciated.

    Regards,

    Hightek Hosting Support
     
  16. cPanelNick

    cPanelNick Administrator
    Staff Member

    Joined:
    Mar 9, 2015
    Messages:
    3,426
    Likes Received:
    2
    Trophy Points:
    38
    cPanel Access Level:
    DataCenter Provider
    Please post the ticket #. Thanks
     
  17. hightekhosting

    hightekhosting Active Member

    Joined:
    Aug 12, 2007
    Messages:
    27
    Likes Received:
    0
    Trophy Points:
    1
    Hi Nick,

    Thanks for your response :)

    Ticket No#: 350253

    I really look forward to a resolution soon.

    Regards,

    Dale E
     
  18. cPanelNick

    cPanelNick Administrator
    Staff Member

    Joined:
    Mar 9, 2015
    Messages:
    3,426
    Likes Received:
    2
    Trophy Points:
    38
    cPanel Access Level:
    DataCenter Provider
    Are the affected machines running vzfs on virtuozzo ?
     
  19. Starcraftmazter

    Starcraftmazter Well-Known Member

    Joined:
    May 5, 2006
    Messages:
    47
    Likes Received:
    0
    Trophy Points:
    6
    Yep?

    It is indeed (message too short).
     
  20. cPanelNick

    cPanelNick Administrator
    Staff Member

    Joined:
    Mar 9, 2015
    Messages:
    3,426
    Likes Received:
    2
    Trophy Points:
    38
    cPanel Access Level:
    DataCenter Provider
    There appears to be a race condition with vzfs (it may not be limited to vzfs, but we haven't seen it on any other systems as of yet) that causes tell() to return a point that is outside the log file (which should not be possible) when there are a significant? amount of writes to the log file. This in turn causes tailwatchd to reopen the log file and reprocess it from the start because it thinks the log file has been replaced with a new file (by logrotate).

    We have developed a work-around for this problem. If you would like to try it please open a ticket with "ATTN: Nick" in the subject and post the # here.

    Thanks
    -Nick
     
Loading...

Share This Page