Re: [Exim] Where did all the mail come from and go?

Pàgina inicial
Delete this message
Reply to this message
Autor: Dave C.
Data:  
A: Marc MERLIN
CC: Jeffrey Goldberg, exim-users
Assumpte: Re: [Exim] Where did all the mail come from and go?
Hrm. Do you relay for any dialup pools? Maybe you have some person
using you to relay a very large number of small messages, and they are
sending a small number on each connection. (Assuming different dynamic
IP's for each connection)

Maybe you should take a look directly at the exim mainlog and take some
counts of messages delivered...


On Fri, 26 Jan 2001, Marc MERLIN wrote:

> On Fri, Jan 26, 2001 at 10:10:05PM -0800, Jeffrey Goldberg wrote:
> > > I'm trying to understand where the gig of mail (when I usually only
> > > see 3 to 400MB) came from and went to. I see a source for 100MB, but
> > > nothing that adds up to a 1G+ (I mean, I do see local, but that
> > > doesn't help me).
> > >
> > > As you guessed, I want to find out what's happening and teach the culprits
> > > about other fine protocols like ftp and http :-)
> >
> > > Top 50 sending hosts by volume
> > > ------------------------------
> > >
> > >      93  104239445   (mail1.synnex.com)

> >
> > Well that site has an average of about 1M per message.
> >
> > >       9   21061348   dhcp-net10-32-sw2-203.sndg.valinux.com

> >
> > And they are sending about 2M per message.
>
> I know, I did see those, but it just didn't seem to add up.
> I only have the first 50, and it adds up to about 500MB, more than what I
> initially thought after some quick math, but it was hard to believe that I
> have another 500MB+ in sites that each sent 2MB or less. Apparently, it has
> to be the case afterall.
> I'm just trying to find the "problem" since the stats more than doubled for
> that day.
>
>
> > > Top 50 destinations by volume
> > > -----------------------------
> > >       1    9436888   mailhost.worksta.com

> >
> > I think you can do the math in your head.
> >
> > >       1    8955808   mail.flyinglogo.com

> >
> > Likewise.
>
> Yep. I know there are a few of those. I think I was focussing too much on
> finding some obvious abuse in one specific place, but apparently we're
> talking generalized abuse by several users all on the same day.
>
> > > Top 50 local destinations by volume
> > > -----------------------------------
> > >
> > >      29   99267405   gbandak

> >
> > That user gets an average of 3M per message.
>
> Yes, I know, I already flagged him :-)
>
> but you're right, the first 50 users do add up to 437MB, it's just a lot.
>
> > But an easier way is to just set the message size limit to 2M and see who
> > screems.
>
> I've entertained the idea more than once, trust me, but the CIO and CFO
> don't seem to agree with me, go figure :-)
>
> > PS: I'm not sure of the appropriateness of posting all of that traffic
> > info about your users. But I assume that you considered that.
>
> Yeah, I did.
> I forgot to snip the the relayed messages section which was of no relevance,
> but for the rest, it'd have been a lot of work to change all the login names
> to dummy names and change all the hostnames too, and considering that one
> can fairly easily harvest that information from the net already and our web
> site, I didn't bother...
>
> I seems that I was looking for something that I thought was missing, but
> when you prompted me to add up the numbers, while I can only account for
> about half the totals with the top 50, it's clear that there aren't any
> errors in the log reporting and indeed this was a bad day (not that the mail
> server really minded, its load average is below 0.20 typically, but moving
> as much mail in a day than sourceforge seemed weird...)
>
> Thanks for poking a stick at the logs.
>
> Marc
>


--