• Please be aware: Kaspersky Anti-Virus has been deprecated
    With the upgrade to Plesk Obsidian 18.0.64, "Kaspersky Anti-Virus for Servers" will be automatically removed from the servers it is installed on. We recommend that you migrate to Sophos Anti-Virus for Servers.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Unreal POP3 Stats

S

StvnT

New Pleskian
[Solved] Unreal POP3 Stats

A domain has recently started reporting extremely high POP3 Out statistics. Plesk is reporting between 8 and 10 gigabytes of data for our POP3 Out per night! I don't really know how to read the logs but I believe the inflated reporting is caused by a single account on the affected domain. The suspect account - from the logs:

May 11 11:21:18 web1 pop3d: IMAP connect from @ [xxx.xxx.xxx.xxx]INFO: LOGIN, [email protected], ip=[xxx.xxx.xxx.xxx]
May 11 11:21:52 web1 pop3d: 1336753312.107644 DISCONNECTED, [email protected], ip=[xxx.xxx.xxx.xxx], top=0, retr=22795503, time=34, rcvd=50, sent=23092177, maildir=/var/qmail/mailnames/domain.com/user1/Maildir
Click to expand...

For comparison, this is another user on the domain:

May 11 11:30:34 web1 pop3d: IMAP connect from @ [xxx.xxx.xxx.xxx]INFO: LOGIN, [email protected], ip=[xxx.xxx.xxx.xxx]
May 11 11:30:34 web1 pop3d: 1336753834.615746 LOGOUT, [email protected], ip=[xxx.xxx.xxx.xxx], top=0, retr=0, time=0, rcvd=12, sent=39, maildir=/var/qmail/mailnames/domain.com/user2/Maildir
Click to expand...

If I understand correctly, the user1 account performs a login, transfers 23MB of data and is disconnected after 30 seconds. Whereas the user2 account performs a login, sees no new mail and logs out.

What could be the problem? Could it be compromised? Could the client have changed settings and we're seeing IMAP traffic instead of POP3 (sorry, I'm not real familiar with these logs)?
 
Last edited:
Hi,

We have seen something similar to this twice, and in both times (one is still ongoing) its been caused by Kayako.

Kayako gets itself all in a tizz with emails larger than its limits, I think it downloads the email, realises its bigger than its allowed then gives up. Then on the next cycle it downloads the email, realises its bigger than its allowed then gives up (etc etc etc).

Not saying its the case you have here, but it could be something else with equally poor logic (or just a truly massive email thats somehow ended up in the inbox and times out on download every time),

Paul
 
Thanks for the help Igor and Paulie!

This only affected the one account so I was thinking either it was something on the clients end (Outlook error/bug/misconfiguration), email backscatter or a compromised account. We've had some problems with large emails before but nothing quite like this.

I wasn't able to figure out exactly what the problem was but we were able to get it fixed by resetting the password in Plesk and by having the client delete their account in Outlook. Not insightful into the cause of the problem but it worked for us.
 
You must log in or register to reply here.

Similar threads

Dork
Question Watchdog problem
Replies
3
Views
632
mow
M
S
Resolved Dovecot Broken After Latest Update
Replies
4
Views
1K
scpcomp
S
J
Issue DEBIAN 12 OPENSSL 3.0 DOVECOT does not allow login
Replies
1
Views
601
Yaroslav_T
Yaroslav_T
D
Resolved MS Outlook IMAP cannot connect
Replies
1
Views
2K
Dominik_
D
C
Resolved No Email receive
Replies
4
Views
1K
Peter Debik
P
Back
Top