Tracking Down Excessive POP3 Usage

orty

Well-Known Member
Jun 29, 2004
110
0
166
Bend, Oregon
cPanel Access Level
Root Administrator
I had an account who hit their bandwidth limit on their account. Looking into their bandwidth usage in cPanel, they are pushing ~8gig in HTTP data pretty much every month, but gradually climbing POP3 data to the point where they had 91.21gig in POP3 data thus far this month.

Is there a quick and dirty way to track down which email accounts and/or IP addresses are causing that amount of data usage? Or is there something else I should be looking for? This is a vacation rental/real estate company where one of the owners is their "IT Guy" and I want to make sure they're not doing something that's flooding the server. They're complaining about a lot more spam than usual, but even if we had more aggressive spam protection on the server, wouldn't that still count in the POP3 stats, or does that only count email that gets downloaded to the client's computers via POP3 but not necessarily the email hitting the account?

See attached for chart (the spike in late Feb. was a hacked email account that went bonkers).

Just trying to figure out what to tell the guy.

Thanks!
-Jake
 

Attachments

Last edited:

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,909
2,222
463
Hello,

You may find this command helpful:

Code:
grep domain.com /var/log/maillog* | grep retr= | grep -v retr=0 | awk {'print $11'} | cut -d, -f1 | cut -d= -f2 | awk '{t += $1} END { print "total: ", t, " bytes transferred over POP3"}'
Thank you.
 

orty

Well-Known Member
Jun 29, 2004
110
0
166
Bend, Oregon
cPanel Access Level
Root Administrator
Hello,

You may find this command helpful:

Code:
grep domain.com /var/log/maillog* | grep retr= | grep -v retr=0 | awk {'print $11'} | cut -d, -f1 | cut -d= -f2 | awk '{t += $1} END { print "total: ", t, " bytes transferred over POP3"}'
Thank you.
I did find it useful, thanks. It helped me see that something's being reported wrong somewhere or something was wonky in the grep.

After running the grep, I got this:

Code:
total:  4079902  bytes transferred over POP3
So I checked to make sure that log files are getting rotated properly, and it appears they are:
Code:
[email protected] [/var/log]# ll maillog*
-rw-------. 1 root root  8071296 May 27 19:00 maillog
-rw-------. 1 root root 14967515 May  3 03:15 maillog-20150503
-rw-------. 1 root root 16054207 May 10 03:26 maillog-20150510
-rw-------. 1 root root 18189028 May 17 03:39 maillog-20150517
-rw-------. 1 root root 15832581 May 24 03:49 maillog-20150524
[email protected] [/var/log]#
Am I missing something obvious here, but it seems like 4079902 bytes < 90+ Gigs :). Where does cPanel get those numbers for the bandwidth calculations? Or did the grep pull from the wrong place in the file (I'm not strong in my grep-fu).
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,909
2,222
463
Hello,

Are you sure that was the only output you received from the grep command? It's likely the output for a single POP3 session, not an overall total.

Thank you.
 

orty

Well-Known Member
Jun 29, 2004
110
0
166
Bend, Oregon
cPanel Access Level
Root Administrator
That's the only o
Hello,

Are you sure that was the only output you received from the grep command? It's likely the output for a single POP3 session, not an overall total.

Thank you.
Yep, that's the only output I see. Attached is a screenshot from Putty that shows the command output right after I logged in (ran just a few minutes ago), as well as a quick tail on maillog so you can see its format, so you can make sure the grep matches up.

Edit: Since the image appears to have been compressed when attached, you can find it here, too - Removed -
 

Attachments

Last edited by a moderator:

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,909
2,222
463
Yes, that command does appear to search out a total. The POP3 bandwidth usage is likely accurate, but you are welcome to open a support ticket using the link in my signature if you want us to take a closer look. You can post the ticket number here so we can update this thread with the outcome.

Thank you.
 

orty

Well-Known Member
Jun 29, 2004
110
0
166
Bend, Oregon
cPanel Access Level
Root Administrator
I'll ask a friend of mine (and cohort on the server management) to give me his thoughts, otherwise I'll get a ticket open.

Thanks!
 

orty

Well-Known Member
Jun 29, 2004
110
0
166
Bend, Oregon
cPanel Access Level
Root Administrator
Yes, that command does appear to search out a total. The POP3 bandwidth usage is likely accurate, but you are welcome to open a support ticket using the link in my signature if you want us to take a closer look. You can post the ticket number here so we can update this thread with the outcome.

Thank you.
Ticket # is 6603753. Thanks!
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,909
2,222
463
To update, it looks like one user is downloading their entire inbox every time they access POP3. The following command helps show this:

Code:
grep domain.com /var/log/maillog* | grep retr= | grep -v retr=0 | awk {'print $11'} | cut -d, -f1 | cut -d / -f2 | awk '{t += $1} END { print "total: ", t, " bytes transferred over POP3"}'
Thank you.