Issue Unusual spike in POP3/IMAP traffic for a subscription

[JVG]

Server operating system version

Debian 12

Plesk version and microupdate number

Plesk Obsidian 18.0.65.2

Hi,

something strange is happening in one of the subscriptions I manage in Plesk.

Usually the subscription is about 4-5GB in POP/IMAP traffic per month. Last month it skyrocketed to more than 1TB and for December it's already at 7GB in just a day and a half.

I checked the emails sent and received yesterday and today and in NO WAY they're 7GB in total.

The mail accounts in this subscription are mainly used as IMAP (I'd say 95%) and their size are in the 10-15GB range (the size has not changed dramatically in the last few months).

Is there a way I can check what's really going on?

 

[Nikolay]

Hi!

1. You can verify the subscription traffic statistics using this article https://support.plesk.com/hc/en-us/articles/12377959276439 to make sure that it was calculated correctly
2. You can check records about the domain in maillog. Also, you can install Log Browser extension and review email activity via Track Email Delivery on subscription card and Mail delivery system in Log Browser > Mail tab (/modules/log-browser/?tab=mail)

 

[JVG]

Hi!

1. You can verify the subscription traffic statistics using this article https://support.plesk.com/hc/en-us/articles/12377959276439 to make sure that it was calculated correctly
2. You can check records about the domain in maillog. Also, you can install Log Browser extension and review email activity via Track Email Delivery on subscription card and Mail delivery system in Log Browser > Mail tab (/modules/log-browser/?tab=mail)
View attachment 27501

Thanks, the script from the first link seems to have identified the culprit. Looks like a faulty wordpress contact form. I'll monitor it in the following days to confirm this.

 

[JVG]

Hi,

it turns out even though there was indeed a faulty wordpress form, after disabling it the problem still exists. At least the mail account responsible has been identified, the statictics script show this for the affected mailbox:

GigaBytes:
SENT=3.17
RCVD=29.05

That is not normal behaviour for the mailbox. That mailbox is around 15GB (it has been for months) and it's being accessed via IMAP by multiple devices via Outlook and by IPhone via Apple Mail.

Maybe there's something wrong in the IMAP connection to that mail account? All other mailaccounts for the domain are normal, as are the rest of the domains on the server.

 

[Nikolay]

In this case, I would check maillog for this mail account to understand what can cause such traffic.

 

[JVG]

This doesn't seem normal right?:

XXXX dovecot: service=imap, user=XXXXXXXXX, ip=[XXXXX]. Disconnected: Logged out rcvd=25121693364, sent=239730554

Nothing before or after that suggests that behaviour on a "logged out" command.

 

[Sebahat.hadzhi]

I wouldn't say it is necessarily abnormal. Does that seem to be a recurring event? If the user in question is connecting for the first time it is fairly normal. However, if it is an reoccurring event there might be an issue with corrupted/misconfigured mail client.

 

[Kaspar]

I have seen similar behavior on servers in the past where abnormal IMAP traffic was caused by improper configuration of email clients (apps), which caused the app to re-downloaded messages frequently. If memory serves me right this was a common occurrence on some Android mail apps a couple of years ago. I am not sure if this is still an common issue. And from your description it also hard to tell if this is also the cause of your traffic spike.

You could try to re-add the email account on every email client which uses IMAP to connects to it to see if solves the issue. Like said, I am not sure, but it might be worth trying.