The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Tracking Down Excessive POP3 Usage

Discussion in 'E-mail Discussions' started by orty, May 27, 2015.

  1. orty

    orty Well-Known Member

    Joined:
    Jun 29, 2004
    Messages:
    110
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Bend, Oregon
    cPanel Access Level:
    Root Administrator
    I had an account who hit their bandwidth limit on their account. Looking into their bandwidth usage in cPanel, they are pushing ~8gig in HTTP data pretty much every month, but gradually climbing POP3 data to the point where they had 91.21gig in POP3 data thus far this month.

    Is there a quick and dirty way to track down which email accounts and/or IP addresses are causing that amount of data usage? Or is there something else I should be looking for? This is a vacation rental/real estate company where one of the owners is their "IT Guy" and I want to make sure they're not doing something that's flooding the server. They're complaining about a lot more spam than usual, but even if we had more aggressive spam protection on the server, wouldn't that still count in the POP3 stats, or does that only count email that gets downloaded to the client's computers via POP3 but not necessarily the email hitting the account?

    See attached for chart (the spike in late Feb. was a hacked email account that went bonkers).

    Just trying to figure out what to tell the guy.

    Thanks!
    -Jake
     

    Attached Files:

    #1 orty, May 27, 2015
    Last edited: May 27, 2015
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello,

    You may find this command helpful:

    Code:
    grep domain.com /var/log/maillog* | grep retr= | grep -v retr=0 | awk {'print $11'} | cut -d, -f1 | cut -d= -f2 | awk '{t += $1} END { print "total: ", t, " bytes transferred over POP3"}'
    Thank you.
     
  3. orty

    orty Well-Known Member

    Joined:
    Jun 29, 2004
    Messages:
    110
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Bend, Oregon
    cPanel Access Level:
    Root Administrator
    I did find it useful, thanks. It helped me see that something's being reported wrong somewhere or something was wonky in the grep.

    After running the grep, I got this:

    Code:
    total:  4079902  bytes transferred over POP3
    So I checked to make sure that log files are getting rotated properly, and it appears they are:
    Code:
    root@machine [/var/log]# ll maillog*
    -rw-------. 1 root root  8071296 May 27 19:00 maillog
    -rw-------. 1 root root 14967515 May  3 03:15 maillog-20150503
    -rw-------. 1 root root 16054207 May 10 03:26 maillog-20150510
    -rw-------. 1 root root 18189028 May 17 03:39 maillog-20150517
    -rw-------. 1 root root 15832581 May 24 03:49 maillog-20150524
    root@machine [/var/log]#
    Am I missing something obvious here, but it seems like 4079902 bytes < 90+ Gigs :). Where does cPanel get those numbers for the bandwidth calculations? Or did the grep pull from the wrong place in the file (I'm not strong in my grep-fu).
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello,

    Are you sure that was the only output you received from the grep command? It's likely the output for a single POP3 session, not an overall total.

    Thank you.
     
  5. orty

    orty Well-Known Member

    Joined:
    Jun 29, 2004
    Messages:
    110
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Bend, Oregon
    cPanel Access Level:
    Root Administrator
    That's the only o
    Yep, that's the only output I see. Attached is a screenshot from Putty that shows the command output right after I logged in (ran just a few minutes ago), as well as a quick tail on maillog so you can see its format, so you can make sure the grep matches up.

    Edit: Since the image appears to have been compressed when attached, you can find it here, too - Removed -
     

    Attached Files:

    #5 orty, May 28, 2015
    Last edited by a moderator: May 4, 2016
  6. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Yes, that command does appear to search out a total. The POP3 bandwidth usage is likely accurate, but you are welcome to open a support ticket using the link in my signature if you want us to take a closer look. You can post the ticket number here so we can update this thread with the outcome.

    Thank you.
     
  7. orty

    orty Well-Known Member

    Joined:
    Jun 29, 2004
    Messages:
    110
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Bend, Oregon
    cPanel Access Level:
    Root Administrator
    I'll ask a friend of mine (and cohort on the server management) to give me his thoughts, otherwise I'll get a ticket open.

    Thanks!
     
  8. orty

    orty Well-Known Member

    Joined:
    Jun 29, 2004
    Messages:
    110
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Bend, Oregon
    cPanel Access Level:
    Root Administrator
    Ticket # is 6603753. Thanks!
     
  9. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    To update, it looks like one user is downloading their entire inbox every time they access POP3. The following command helps show this:

    Code:
    grep domain.com /var/log/maillog* | grep retr= | grep -v retr=0 | awk {'print $11'} | cut -d, -f1 | cut -d / -f2 | awk '{t += $1} END { print "total: ", t, " bytes transferred over POP3"}'
    Thank you.
     
Loading...

Share This Page