btrfld Posted October 19, 2004 Posted October 19, 2004 If this is in the wrong forum, please move it. I will try to keep the preamble short, but some background is necessary. A little while ago I discovered that one of my accounts was suddenly using up Bandwidth at three times the normal amount. I checked, using all the tools I know of, and the extra seems to be POP related. I put in a Help Desk tcket, and was told that the excess 'seemed to be consumed by email', but that I could not look at the logs, because they are server-wide. OK. So I did further research for most of today, watching every mailbox in the account. Here is what I discovered: Given: bandwidth numbers in cPanel are updated about every 6.5 hours Between approximately 10:30am and 5:00pm (EDT) the Bandwidth consumed was 90.6mb (14 mb/hr) During that time ALL the POP mail that came in, including that marked as SPAM amounted to 3mb. During that time the HTTP traffic (viewed and not viewed) was 17mb. Since I am the only one with FTP access, I can say with some certainty that there was none. (If there was, by the way, how would I know? There doesn't seem to be a tool for monitoring FTP) So: even if I triple the mail amount to allow for the POP mail that came in going back out to its recipients (even the SPAM, which did not go out and is normally Discarded) and a like amount for SMTP, the total should be 9mb (mail) + 17mb (http) = 26mb (4 mb/hr) Where is the other 10 mb/hr going? How can I find out? Is there anyone out there with any experience in this area? Thank you in advance, anybody, for any insight. Quote
oompahloompah Posted October 20, 2004 Posted October 20, 2004 Mm I could be wrong but I would have thought regexping the mail logs would be possible, thus filtering out the logs that belong to you and those that don't. Perhaps it would be helpful to take it up with the help desk again as it seems they have the key to the answer you wish for. Quote
btrfld Posted October 20, 2004 Author Posted October 20, 2004 Thanks for the idea. They must be able to do it. I'll give it a try. Quote
prospector Posted October 20, 2004 Posted October 20, 2004 Please keep us informed of your progress on this issue. I'd really like to know what to look for in the future if it happens to me. Quote
btrfld Posted October 20, 2004 Author Posted October 20, 2004 I did talk to the Help Desk again, and they sent me a filtered log of all email through the account in the last few days. From it I learned a couple of things: The log shows no origins or sizes, so in that regard it isn't much help for things like blacklisting. It also shows no recipient for mail identified as Spam and discarded, so it's no help in seeing who it's directed at. Basically, you have to capture all the mail and look at each piece to make any kind of determination. Lots of work, and spammers are crafty: I rarely got more than a couple from the same sender. It did show the outgoing (smtp) side of things, which is something I couldn't see anywhere else. It wasn't of significant volume, and had no appreciable effect on the problem I think. It also showed me that my research wasn't accurate, because many messages were dropped due to the mailbox being full. I hadn't set my box size large enough to accept the volume of mail that came in. So my numbers regarding mail I saw come in were too low. In talking with the Help Desk, I determined that all mail that comes in, whether to real mailboxes or non-existent recipients or that identified as spam, all counts against bandwidth. To that extent, there's nothing I can do about it except shut down the domain. Not. I've set SpamAssassin to a very restrictive filter, and directed all mail so identified to Discard. At least I won't take the hit for sending it back out to people. In the end, I've decided that the account is just being spammed by some robot. The mail I collected and reviewed showed significant evidence of messages sent to a long list of non-existent names @domain.com. Sort of a try-every-combination-beginning-with-B thing. I've set the bandwidth limit high enough so the account won't get shut down while I'm not looking, and hope that it will stop when the robot gets to the end of the alphabet and moves on to someone else. Thanks for asking. I hope this helps. Quote
boxturt Posted October 20, 2004 Posted October 20, 2004 Very interesting Jim. Thank you for taking the time to share and I hope it all works out in your favor. Quote
bellringr Posted October 21, 2004 Posted October 21, 2004 Jim, You might already know this, but in your Default Address Maintenance, have you set all unrouted mail to go to :blackhole:? This will automatically discard anything that doesn't come to one of your legitimate addresses. Quote
btrfld Posted October 21, 2004 Author Posted October 21, 2004 Yes, thanks for thinking of it. I do that automatically. Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.