High e-mail Traffic

I have a client who went from under 2GB of traffic per month to over 100GB of traffic per month.

In looking at the logs, this is all e-mail traffic. Short of suspending the whole account. Is there anything that can be done to prevent the client from using this much traffic? I looked through the e-mail logs provided by support and didn't see anything that seemed out of the ordinary for one particular user.

Is there a way to pinpoint this to a particular user?

Here is the data transfer for this client:
September - 2.3 GB
October - 1.8GB
November - 91.4 GB
December - 12.4 GB
Since Yesterday - 18.7 MB

Could they be doing something on their end that is causing the extra traffic.

For JH employees, the support ticket associated with this is CGH-18006-947

Thanks for any help
 
Does anyone know if we can get access to e-mail logs through our control panel?

I'm really concerned that this account is compromised in some way.
 
I would highly recommend their computers be scanned with anti virus and anti malware, there are many clients compromised by trojans in the last month being used to send out spam mails for 3rd parties controlling their machines.

Normally we get reports of this and have to disable their SMTP, but sometimes it slips by unreported.
 
Does anyone know what the average number of e-mail logins for a user? In evaluating the logs from Nov 14-17, there is one user who had almost 3000 successful logins. The logs do not show what the data transfer is for each of the logins.

There are only 2 records in the log that do not show a successful login and they are in the following format:

Nov 14 09:41:36 mail3 smtpd: ##########.###### Reject::ORIG::USR_CHK: P:ESMTPM S:IP :unknown H:KIH19 F:[email protected] T:[email protected]

Also, I was just informed that they are using an exchange server at their office to access this e-mail account.
 
the 3000 you mention, are all SMTP logins or pop3/imap logins? 3000 SMTP logins would be a LOT of logins. What you posted is SMTP login.
 
All of the logins are pop logins. There were only two lines in the entire log that reference an SMTP login.

I finally was able to get in touch with the client and they had someone working on heir PC's to install new virus/malware protection at the end of October (right when the issue popped up). All of the e-mails that were listed in the log were from the same branch office. She will be getting in touch with the person who did the work to find out what they could have done to cause this.
 
Sounds like you may be onto something there, and possibly they have AV/malware protection, but it has run amok. Sometimes AV systems actually have their own proxy systems that keep a connection and don't release it, such could be happening here.
 
Stephen -

Is there a way to identify a particular e-mail user that is generating all of this traffic? In looking at the logs, I can see a lot of people logging in many times, but it doesn't show the amount of data transferred each time.

I have been able to narrow it down to someone who has a Tuesday - Saturday work week. The traffic has a significant decrease on Sunday and Monday. Then on Tuesday it jumps right back up (over 4GB of traffic before 11am today - Less than 10MB yesterday)
 
Stephen -

Is there a way to identify a particular e-mail user that is generating all of this traffic? In looking at the logs, I can see a lot of people logging in many times, but it doesn't show the amount of data transferred each time.

I have been able to narrow it down to someone who has a Tuesday - Saturday work week. The traffic has a significant decrease on Sunday and Monday. Then on Tuesday it jumps right back up (over 4GB of traffic before 11am today - Less than 10MB yesterday)
I will pass this off to Tanmaya tonight. I honestly don't have the answer!

Abhishek is actually downloading your logs to try and see if he can ID it as well.
 
Thank you, between everyone here searching for an issue and your guys helping out I'm sure we can find the culprit! :)
 
We have updated ticket with names of suspected email accounts which have very extreme logins.
 
Can someone please tell me what the data in this line of the log means? Can headers, body, rcvd & sent be used to identify someone who is sending a lot of information?


Dec 13 10:14:05 mail3 imapd: LOGOUT, [email protected], ip=[11.11.11.111], headers=0, body=1207181, rcvd=155, sent=1223823, time=5
 
Back
Top