• Please be aware: Kaspersky Anti-Virus has been deprecated
    With the upgrade to Plesk Obsidian 18.0.64, "Kaspersky Anti-Virus for Servers" will be automatically removed from the servers it is installed on. We recommend that you migrate to Sophos Anti-Virus for Servers.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Huge traffic for POP3/IMAP

M

MarcSerra

New Pleskian
Huge traffic for POP3/IMAP [closed]

Hi!

I'm using plesk 11.0.9 Update #38 on CentOS 5.5 (Final) up to date.

I have 40 domains (aprox) working correctly, but this month I detected a problem with one of them. Look this stats...

FTP: 0 B
HTTP: 68.2 MB
POP3/IMAP: 128 GB
SMTP: 119 MB

How can I find from where come the usage of 128GB for Pop3/Imap? This domain has only 2 mail accounts.

Thank's in advance!
 
Last edited:
no answer?

What can I do? I add this extra info...

February: 2,74GB (822MB POP3/IMAP)
January:2,00GB (804MB POP3/IMAP)
December: 1,44GB (771MB POP3/IMAP)
November: 2,19GB (901MB POP3/IMAP)
 
With that kind of traffic I would think your maillog would have lots of details. /usr/local/psa/var/log/maillog

There's probably a ton entries that could help you find this.. At least in the maillog you can see if its an email account or website script that's been hacked.
 
That's strange, because the first day I was received the mail informing that domain exceeded the resource usage limits was this wednesday 6th of march. And the mail log not show a strange size difference on this dates...

-rw-r--r-- 1 root root 1.8M Mar 7 04:33 maillog.processed.1.gz
-rw-r--r-- 1 root root 1.6M Mar 5 04:30 maillog.processed.2.gz
-rw-r--r-- 1 root root 1.7M Mar 2 04:29 maillog.processed.3.gz
Click to expand...

What I need to search in maillog files? Using zgrep I found around 4000 lines about this domain on each file, I think that's normal. Some clue?

Thank's!
 
I would run mailq and check your queue or in control panel and look for the Queue ID of your message, eg. CE648EC0294. Then check /var/spool/postfix/deferred (if you use postfix) and see who sent it. It could be an email account, or a script being exploited on your server. I recently had a subscriber who set their FTP password to something fairly easy. His account was hacked and a file uploaded to his domain which was used for sending spam.
 
Thank's Jayson, but I can't find useful information. There are only 3 messages in /var/spool/postfix/deferred directory...

[root@s1 deferred]# ls -lR
.:
total 0
drwx------ 2 postfix postfix 6 Mar 2 16:13 0
drwx------ 2 postfix postfix 6 Mar 6 10:23 1
drwx------ 2 postfix postfix 6 Mar 7 20:28 2
drwx------ 2 postfix postfix 6 Mar 6 11:33 3
drwx------ 2 postfix postfix 6 Mar 7 11:18 4
drwx------ 2 postfix postfix 6 Mar 9 15:24 5
drwx------ 2 postfix postfix 24 Mar 9 15:29 6
drwx------ 2 postfix postfix 6 Mar 4 19:03 7
drwx------ 2 postfix postfix 6 Mar 9 15:24 8
drwx------ 2 postfix postfix 24 Mar 9 15:14 9
drwx------ 2 postfix postfix 24 Mar 9 15:24 A
drwx------ 2 postfix postfix 6 Mar 4 14:08 B
drwx------ 2 postfix postfix 6 Mar 4 17:38 C
drwx------ 2 postfix postfix 6 Mar 9 15:24 D
drwx------ 2 postfix postfix 6 Mar 8 11:03 E
drwx------ 2 postfix postfix 6 Mar 2 16:48 F

./0:
total 0

./1:
total 0

./2:
total 0

./3:
total 0

./4:
total 0

./5:
total 0

./6:
total 148
-rwx------ 1 postfix postfix 147964 Mar 9 2013 60065C77071

./7:
total 0

./8:
total 0

./9:
total 112
-rwx------ 1 postfix postfix 112741 Mar 9 2013 9A530C7C64F

./A:
total 4
-rwx------ 1 postfix postfix 3876 Mar 9 2013 A946AC84CAD

./B:
total 0

./C:
total 0

./D:
total 0

./E:
total 0

./F:
total 0
Click to expand...

what is the use of /var/spool/postfix/deferred directory?
 
Ok, after googling a bit, now I understand what is the use of deferred folder.

But I still like to discover the reason of 128GB of traffic usage for this domain...
 
If you cat these files A946AC84CAD and look at the header does it say who sent it? If it's a script it may not say who, i.e. from <>, in this case I check the time stamp and compare against the httpd log file for that domain.
 
Thank's for the quick answer.

The 3 mails are legitimate (from existent users to a erratic mails because a keypress error), and none come from the affected domain... :(
 
Perhaps its a calculation problem rather than actual IMAP traffic. This, POP3/IMAP: 128 GB doesn't really line up with your stats, February: 2,74GB (822MB POP3/IMAP) January:2,00GB (804MB POP3/IMAP) December: 1,44GB (771MB POP3/IMAP) November: 2,19GB (901MB POP3/IMAP)

Doesn't this mean for those months you had 822MB, 804MB, 771MB and 901MB for pop3/imap? If so how does the 128GB factor in? I also think that if sent 128GB worth of email something would show up in your maillog and probably still be in your mail queue.
 
You must log in or register to reply here.

Similar threads

S
Issue Abnormal traffic usage caused by POP3/IMAP
Replies
4
Views
291
stevepa
S
D
Issue pop3 loop
Replies
3
Views
1K
javcove
J
M
Resolved How to check details about POP3/IMAP traffic for single email
2
Replies
24
Views
18K
javcove
J
danami
Input Warden Antispam & Virus Protection Extension for Plesk
7 8 9
Replies
162
Views
37K
danami
danami
S
pop3/imap login question: can distance increase traffic?
Replies
1
Views
1K
Nikolay.
N
Back
Top