On Fri, Jan 26, 2001 at 10:10:05PM -0800, Jeffrey Goldberg wrote:
> > I'm trying to understand where the gig of mail (when I usually only
> > see 3 to 400MB) came from and went to. I see a source for 100MB, but
> > nothing that adds up to a 1G+ (I mean, I do see local, but that
> > doesn't help me).
> >
> > As you guessed, I want to find out what's happening and teach the culprits
> > about other fine protocols like ftp and http :-)
>
> > Top 50 sending hosts by volume
> > ------------------------------
> >
> > 93 104239445 (mail1.synnex.com)
>
> Well that site has an average of about 1M per message.
>
> > 9 21061348 dhcp-net10-32-sw2-203.sndg.valinux.com
>
> And they are sending about 2M per message.
I know, I did see those, but it just didn't seem to add up.
I only have the first 50, and it adds up to about 500MB, more than what I
initially thought after some quick math, but it was hard to believe that I
have another 500MB+ in sites that each sent 2MB or less. Apparently, it has
to be the case afterall.
I'm just trying to find the "problem" since the stats more than doubled for
that day.
> > Top 50 destinations by volume
> > -----------------------------
> > 1 9436888 mailhost.worksta.com
>
> I think you can do the math in your head.
>
> > 1 8955808 mail.flyinglogo.com
>
> Likewise.
Yep. I know there are a few of those. I think I was focussing too much on
finding some obvious abuse in one specific place, but apparently we're
talking generalized abuse by several users all on the same day.
> > Top 50 local destinations by volume
> > -----------------------------------
> >
> > 29 99267405 gbandak
>
> That user gets an average of 3M per message.
Yes, I know, I already flagged him :-)
but you're right, the first 50 users do add up to 437MB, it's just a lot.
> But an easier way is to just set the message size limit to 2M and see who
> screems.
I've entertained the idea more than once, trust me, but the CIO and CFO
don't seem to agree with me, go figure :-)
> PS: I'm not sure of the appropriateness of posting all of that traffic
> info about your users. But I assume that you considered that.
Yeah, I did.
I forgot to snip the the relayed messages section which was of no relevance,
but for the rest, it'd have been a lot of work to change all the login names
to dummy names and change all the hostnames too, and considering that one
can fairly easily harvest that information from the net already and our web
site, I didn't bother...
I seems that I was looking for something that I thought was missing, but
when you prompted me to add up the numbers, while I can only account for
about half the totals with the top 50, it's clear that there aren't any
errors in the log reporting and indeed this was a bad day (not that the mail
server really minded, its load average is below 0.20 typically, but moving
as much mail in a day than sourceforge seemed weird...)
Thanks for poking a stick at the logs.
Marc
--
Microsoft is to operating systems & security ....
.... what McDonalds is to gourmet cooking
Home page:
http://marc.merlins.org/ | Finger marc_f@??? for PGP key