Strange POP bandwidth usage...

N

nwilkins83

Member
Sep 20, 2013
13
0
1
cPanel Access Level
Root Administrator
Hello,

I host a close friends website and I have just noticed his bandwidth usage was normally around 1.5GB - 2GB max per month... Then all of a sudden looking at the logs last october his bandwidth usage shot up to 25GB per month. Looking at the attached files it seems to be due to POP... Now he only has 1 mailbox on this domain which I include some output from below:

[~]# grep Domain-name-in-question /var/log/maillog* | grep retr= | grep -v retr=0 | awk {'print $11'} | cut -d, -f1 | cut -d= -f2 | awk '{t += $1} END { print "total: ", t, " bytes transferred over POP3"}'

total: 26077432943 bytes transferred over POP3 (24GB)

This tallys up with what cPanel bandwidth monitor is telling me.

Then I did the following:

Code: 
[~]# grep Domain-name-in-question /var/log/maillog | grep retr= | awk {'print $7" "$1" "$2" "$3" "$11'} | grep -v retr=0
user=Domain-name-in-question, Feb 9 03:37:25 retr=18803870,
user=Domain-name-in-question, Feb 9 04:08:20 retr=18803870,
user=Domain-name-in-question, Feb 9 04:39:33 retr=18803870,
user=Domain-name-in-question, Feb 9 05:10:41 retr=18803870,
user=Domain-name-in-question, Feb 9 05:41:56 retr=18803870,
user=Domain-name-in-question, Feb 9 06:13:00 retr=18803870,
user=Domain-name-in-question, Feb 9 06:43:53 retr=18803870,
user=Domain-name-in-question, Feb 9 07:15:07 retr=18806795,
user=Domain-name-in-question, Feb 9 07:45:57 retr=18803870,
user=Domain-name-in-question, Feb 9 08:17:01 retr=18803870,
user=Domain-name-in-question, Feb 9 08:48:08 retr=18803870,
user=Domain-name-in-question, Feb 9 09:19:05 retr=18803870,
user=Domain-name-in-question, Feb 9 09:50:19 retr=18803870,
user=Domain-name-in-question, Feb 9 10:21:06 retr=18803870,
user=Domain-name-in-question, Feb 9 10:52:20 retr=18803870,
user=Domain-name-in-question, Feb 9 11:23:34 retr=18829042,
user=Domain-name-in-question, Feb 9 11:54:43 retr=18803870,
user=Domain-name-in-question, Feb 9 12:25:58 retr=18803870,
user=Domain-name-in-question, Feb 9 12:56:51 retr=18803870,
user=Domain-name-in-question, Feb 9 13:27:56 retr=18809379,
user=Domain-name-in-question, Feb 9 13:59:11 retr=18803870,
user=Domain-name-in-question, Feb 9 14:30:25 retr=18803870,
user=Domain-name-in-question, Feb 9 15:01:44 retr=18803870,
user=Domain-name-in-question, Feb 9 15:32:40 retr=18803870,
user=Domain-name-in-question, Feb 9 16:03:53 retr=18803870,
user=Domain-name-in-question, Feb 9 16:34:51 retr=18806943,
user=Domain-name-in-question, Feb 9 17:06:08 retr=18803870,
user=Domain-name-in-question, Feb 9 17:37:17 retr=18803870,
user=Domain-name-in-question, Feb 9 18:38:18 retr=18803870,
user=Domain-name-in-question, Feb 9 19:10:15 retr=18803870,
user=Domain-name-in-question, Feb 9 19:41:31 retr=18803870,
user=Domain-name-in-question, Feb 9 20:12:54 retr=18803870,
user=Domain-name-in-question, Feb 9 20:43:51 retr=18803870,
user=Domain-name-in-question, Feb 9 21:15:05 retr=18804607,
user=Domain-name-in-question, Feb 9 23:16:54 retr=18803870,
user=Domain-name-in-question, Feb 9 23:48:23 retr=18803870,
user=Domain-name-in-question, Feb 10 00:18:43 retr=18803870,
user=Domain-name-in-question, Feb 10 00:50:04 retr=18803870,
user=Domain-name-in-question, Feb 10 01:21:37 retr=18803870,
user=Domain-name-in-question, Feb 10 01:52:48 retr=18803870,
user=Domain-name-in-question, Feb 10 02:23:36 retr=18803870,
user=Domain-name-in-question, Feb 10 02:54:44 retr=18803870,
user=Domain-name-in-question, Feb 10 03:25:46 retr=18803870,
user=Domain-name-in-question, Feb 10 03:56:38 retr=18803870,
user=Domain-name-in-question, Feb 10 04:27:51 retr=18803870,
user=Domain-name-in-question, Feb 10 04:58:42 retr=18803870,
user=Domain-name-in-question, Feb 10 05:29:43 retr=18803870,
user=Domain-name-in-question, Feb 10 06:00:37 retr=18803870,
user=Domain-name-in-question, Feb 10 06:31:35 retr=18803870,
user=Domain-name-in-question, Feb 10 07:02:35 retr=18803870,
user=Domain-name-in-question, Feb 10 07:33:47 retr=18803870,
user=Domain-name-in-question, Feb 10 08:04:54 retr=18803870,
user=Domain-name-in-question, Feb 10 08:36:08 retr=18803870,
user=Domain-name-in-question, Feb 10 09:07:11 retr=18804850,
user=Domain-name-in-question, Feb 10 09:38:31 retr=18803870,
user=Domain-name-in-question, Feb 10 10:09:42 retr=18803870,
user=Domain-name-in-question, Feb 10 10:40:49 retr=18803870,
user=Domain-name-in-question, Feb 10 11:12:02 retr=18809215,
user=Domain-name-in-question, Feb 10 11:42:52 retr=18803870,
user=Domain-name-in-question, Feb 10 12:13:52 retr=18803870,
user=Domain-name-in-question, Feb 10 12:44:55 retr=18803870,
user=Domain-name-in-question, Feb 10 13:16:06 retr=18803870,
user=Domain-name-in-question, Feb 10 13:46:59 retr=18803870,
user=Domain-name-in-question, Feb 10 14:17:56 retr=18803870,
user=Domain-name-in-question, Feb 10 14:48:52 retr=18986667,
user=Domain-name-in-question, Feb 10 15:20:02 retr=18831783,
user=Domain-name-in-question, Feb 10 15:51:11 retr=18803870,
user=Domain-name-in-question, Feb 10 16:22:14 retr=18803870,
user=Domain-name-in-question, Feb 10 16:53:23 retr=18803870,
user=Domain-name-in-question, Feb 10 17:24:15 retr=18803870,
user=Domain-name-in-question, Feb 10 17:55:22 retr=18803870,
user=Domain-name-in-question, Feb 10 18:26:33 retr=18803870,
user=Domain-name-in-question, Feb 10 18:57:44 retr=18803870,
user=Domain-name-in-question, Feb 10 19:28:54 retr=18803870,
user=Domain-name-in-question, Feb 10 20:30:27 retr=18803870,
user=Domain-name-in-question, Feb 10 21:01:40 retr=18803870,
user=Domain-name-in-question, Feb 10 21:32:50 retr=18803870,
user=Domain-name-in-question, Feb 10 22:04:24 retr=21594529,
user=Domain-name-in-question, Feb 10 22:35:17 retr=18803870,
user=Domain-name-in-question, Feb 10 23:07:01 retr=18803870,
user=Domain-name-in-question, Feb 10 23:38:16 retr=18803870,
user=Domain-name-in-question, Feb 11 00:08:59 retr=18808270,
user=Domain-name-in-question, Feb 11 00:40:07 retr=18803870,
user=Domain-name-in-question, Feb 11 01:15:21 retr=18810434,
user=Domain-name-in-question, Feb 11 01:47:19 retr=18821494,
user=Domain-name-in-question, Feb 11 02:18:23 retr=18803870,
user=Domain-name-in-question, Feb 11 02:49:41 retr=18803870,
user=Domain-name-in-question, Feb 11 03:51:07 retr=18803870,
user=Domain-name-in-question, Feb 11 04:22:15 retr=18910338,
user=Domain-name-in-question, Feb 11 04:53:03 retr=18803870,
user=Domain-name-in-question, Feb 11 05:24:13 retr=18810588,
user=Domain-name-in-question, Feb 11 05:55:49 retr=18803870,
user=Domain-name-in-question, Feb 11 06:26:47 retr=18803870,
user=Domain-name-in-question, Feb 11 06:57:56 retr=18803870,
user=Domain-name-in-question, Feb 11 07:28:59 retr=18806785,
user=Domain-name-in-question, Feb 11 08:30:29 retr=18806785,
user=Domain-name-in-question, Feb 11 09:01:54 retr=19835569,
user=Domain-name-in-question, Feb 11 09:32:51 retr=18803870,
user=Domain-name-in-question, Feb 11 10:04:13 retr=18803870,
user=Domain-name-in-question, Feb 11 10:35:04 retr=18808540,
user=Domain-name-in-question, Feb 11 11:36:34 retr=18863925,
user=Domain-name-in-question, Feb 11 12:07:41 retr=18819464,
user=Domain-name-in-question, Feb 11 12:38:36 retr=18803870,
user=Domain-name-in-question, Feb 11 13:09:41 retr=18803870,
user=Domain-name-in-question, Feb 11 13:40:49 retr=18803870,
user=Domain-name-in-question, Feb 11 14:11:55 retr=18803870,
user=Domain-name-in-question, Feb 11 14:43:07 retr=18803870,
user=Domain-name-in-question, Feb 11 15:14:26 retr=18803870,
user=Domain-name-in-question, Feb 11 15:45:22 retr=18803870,
user=Domain-name-in-question, Feb 11 16:16:59 retr=18803870,
user=Domain-name-in-question, Feb 11 16:48:09 retr=18803870,
user=Domain-name-in-question, Feb 11 17:19:14 retr=18803870,
user=Domain-name-in-question, Feb 11 17:50:54 retr=18803870,
user=Domain-name-in-question, Feb 11 18:22:06 retr=18803870,
user=Domain-name-in-question, Feb 11 19:23:41 retr=18803870,
user=Domain-name-in-question, Feb 11 19:54:56 retr=18803870,
user=Domain-name-in-question, Feb 11 20:26:04 retr=18803870,
user=Domain-name-in-question, Feb 11 20:57:15 retr=18803870,
user=Domain-name-in-question, Feb 11 21:29:06 retr=18803870,
user=Domain-name-in-question, Feb 11 22:00:08 retr=18803870,
user=Domain-name-in-question, Feb 11 22:31:22 retr=18803870,
user=Domain-name-in-question, Feb 11 23:02:35 retr=18803870,
user=Domain-name-in-question, Feb 12 00:04:14 retr=18803870,
user=Domain-name-in-question, Feb 12 00:35:14 retr=18803870,
user=Domain-name-in-question, Feb 12 01:36:32 retr=18803870,
user=Domain-name-in-question, Feb 12 02:07:41 retr=18803870,
user=Domain-name-in-question, Feb 12 02:38:56 retr=18803870,
user=Domain-name-in-question, Feb 12 03:10:36 retr=18803870,
user=Domain-name-in-question, Feb 12 03:41:45 retr=18803870,
user=Domain-name-in-question, Feb 12 04:13:03 retr=18803870,
user=Domain-name-in-question, Feb 12 04:44:15 retr=18803870,
user=Domain-name-in-question, Feb 12 05:15:04 retr=18803870,
user=Domain-name-in-question, Feb 12 05:46:05 retr=18803870,
user=Domain-name-in-question, Feb 12 06:47:30 retr=18803870,
user=Domain-name-in-question, Feb 12 07:18:25 retr=18803870,
user=Domain-name-in-question, Feb 12 07:49:32 retr=18803870,
user=Domain-name-in-question, Feb 12 08:20:27 retr=18803870,
user=Domain-name-in-question, Feb 12 08:52:06 retr=18803870,
user=Domain-name-in-question, Feb 12 09:23:25 retr=18803870,
user=Domain-name-in-question, Feb 12 09:54:48 retr=18803870,
How do I determin what IP is doing this and if it is a script / program on the users site doing this?

Many Thanks

Nick,
 

Attachments

cPanelMichael

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,880
2,268
463
Hello :)

You should see the IP address of user who made the POP3 connection in the /var/log/maillog file. Try modifying the "grep" command in the bash script you are using so the IP address is output.

Thank you.
 
You must log in or register to reply here.
Thread starter Similar threads Forum Replies Date
J VPS with strange behaviour of redirects of hosted domains? Account Administration 1
C Strange Spike in Disk Space Account Administration 4
WebHostPro SOLVED Strange error when logging in as root via SSH Account Administration 3
C Strange POP3 Bandwidth Issues Account Administration 3
S Strange bandwidth usage by user - from pop3 Account Administration 34
Similar threads
VPS with strange behaviour of redirects of hosted domains?
Strange Spike in Disk Space
SOLVED Strange error when logging in as root via SSH
Strange POP3 Bandwidth Issues
Strange bandwidth usage by user - from pop3
Top Bottom