Tracking Down Excessive POP3 Usage

[orty]

I had an account who hit their bandwidth limit on their account. Looking into their bandwidth usage in cPanel, they are pushing ~8gig in HTTP data pretty much every month, but gradually climbing POP3 data to the point where they had 91.21gig in POP3 data thus far this month.

Is there a quick and dirty way to track down which email accounts and/or IP addresses are causing that amount of data usage? Or is there something else I should be looking for? This is a vacation rental/real estate company where one of the owners is their "IT Guy" and I want to make sure they're not doing something that's flooding the server. They're complaining about a lot more spam than usual, but even if we had more aggressive spam protection on the server, wouldn't that still count in the POP3 stats, or does that only count email that gets downloaded to the client's computers via POP3 but not necessarily the email hitting the account?

See attached for chart (the spike in late Feb. was a hacked email account that went bonkers).

Just trying to figure out what to tell the guy.

Thanks!
-Jake

 

[cPanelMichael]

Hello,

You may find this command helpful:

grep domain.com /var/log/maillog* | grep retr= | grep -v retr=0 | awk {'print $11'} | cut -d, -f1 | cut -d= -f2 | awk '{t += $1} END { print "total: ", t, " bytes transferred over POP3"}'

Thank you.

 

[orty]

Hello,

You may find this command helpful:

grep domain.com /var/log/maillog* | grep retr= | grep -v retr=0 | awk {'print $11'} | cut -d, -f1 | cut -d= -f2 | awk '{t += $1} END { print "total: ", t, " bytes transferred over POP3"}'

Thank you.

I did find it useful, thanks. It helped me see that something's being reported wrong somewhere or something was wonky in the grep.

After running the grep, I got this:

total:  4079902  bytes transferred over POP3

So I checked to make sure that log files are getting rotated properly, and it appears they are:

root@machine [/var/log]# ll maillog*
-rw-------. 1 root root  8071296 May 27 19:00 maillog
-rw-------. 1 root root 14967515 May  3 03:15 maillog-20150503
-rw-------. 1 root root 16054207 May 10 03:26 maillog-20150510
-rw-------. 1 root root 18189028 May 17 03:39 maillog-20150517
-rw-------. 1 root root 15832581 May 24 03:49 maillog-20150524
root@machine [/var/log]#

Am I missing something obvious here, but it seems like 4079902 bytes < 90+ Gigs . Where does cPanel get those numbers for the bandwidth calculations? Or did the grep pull from the wrong place in the file (I'm not strong in my grep-fu).

 

[cPanelMichael]

Hello,

Are you sure that was the only output you received from the grep command? It's likely the output for a single POP3 session, not an overall total.

Thank you.

 

[orty]

That's the only o

Hello,

Are you sure that was the only output you received from the grep command? It's likely the output for a single POP3 session, not an overall total.

Thank you.

Yep, that's the only output I see. Attached is a screenshot from Putty that shows the command output right after I logged in (ran just a few minutes ago), as well as a quick tail on maillog so you can see its format, so you can make sure the grep matches up.

Edit: Since the image appears to have been compressed when attached, you can find it here, too - Removed -

 

[cPanelMichael]

Yes, that command does appear to search out a total. The POP3 bandwidth usage is likely accurate, but you are welcome to open a support ticket using the link in my signature if you want us to take a closer look. You can post the ticket number here so we can update this thread with the outcome.

Thank you.

 

[orty]

I'll ask a friend of mine (and cohort on the server management) to give me his thoughts, otherwise I'll get a ticket open.

Thanks!

 

[orty]

Yes, that command does appear to search out a total. The POP3 bandwidth usage is likely accurate, but you are welcome to open a support ticket using the link in my signature if you want us to take a closer look. You can post the ticket number here so we can update this thread with the outcome.

Thank you.

Ticket # is 6603753. Thanks!

 

[cPanelMichael]

To update, it looks like one user is downloading their entire inbox every time they access POP3. The following command helps show this:

grep domain.com /var/log/maillog* | grep retr= | grep -v retr=0 | awk {'print $11'} | cut -d, -f1 | cut -d / -f2 | awk '{t += $1} END { print "total: ", t, " bytes transferred over POP3"}'

Thank you.