Hrm. Do you relay for any dialup pools? Maybe you have some person
using you to relay a very large number of small messages, and they are
sending a small number on each connection. (Assuming different dynamic
IP's for each connection)
Maybe you should take a look directly at the exim mainlog and take some
counts of messages delivered...
On Fri, 26 Jan 2001, Marc MERLIN wrote:
> On Fri, Jan 26, 2001 at 10:10:05PM -0800, Jeffrey Goldberg wrote:
> > > I'm trying to understand where the gig of mail (when I usually only
> > > see 3 to 400MB) came from and went to. I see a source for 100MB, but
> > > nothing that adds up to a 1G+ (I mean, I do see local, but that
> > > doesn't help me).
> > >
> > > As you guessed, I want to find out what's happening and teach the culprits
> > > about other fine protocols like ftp and http :-)
> >
> > > Top 50 sending hosts by volume
> > > ------------------------------
> > >
> > > 93 104239445 (mail1.synnex.com)
> >
> > Well that site has an average of about 1M per message.
> >
> > > 9 21061348 dhcp-net10-32-sw2-203.sndg.valinux.com
> >
> > And they are sending about 2M per message.
>
> I know, I did see those, but it just didn't seem to add up.
> I only have the first 50, and it adds up to about 500MB, more than what I
> initially thought after some quick math, but it was hard to believe that I
> have another 500MB+ in sites that each sent 2MB or less. Apparently, it has
> to be the case afterall.
> I'm just trying to find the "problem" since the stats more than doubled for
> that day.
>
>
> > > Top 50 destinations by volume
> > > -----------------------------
> > > 1 9436888 mailhost.worksta.com
> >
> > I think you can do the math in your head.
> >
> > > 1 8955808 mail.flyinglogo.com
> >
> > Likewise.
>
> Yep. I know there are a few of those. I think I was focussing too much on
> finding some obvious abuse in one specific place, but apparently we're
> talking generalized abuse by several users all on the same day.
>
> > > Top 50 local destinations by volume
> > > -----------------------------------
> > >
> > > 29 99267405 gbandak
> >
> > That user gets an average of 3M per message.
>
> Yes, I know, I already flagged him :-)
>
> but you're right, the first 50 users do add up to 437MB, it's just a lot.
>
> > But an easier way is to just set the message size limit to 2M and see who
> > screems.
>
> I've entertained the idea more than once, trust me, but the CIO and CFO
> don't seem to agree with me, go figure :-)
>
> > PS: I'm not sure of the appropriateness of posting all of that traffic
> > info about your users. But I assume that you considered that.
>
> Yeah, I did.
> I forgot to snip the the relayed messages section which was of no relevance,
> but for the rest, it'd have been a lot of work to change all the login names
> to dummy names and change all the hostnames too, and considering that one
> can fairly easily harvest that information from the net already and our web
> site, I didn't bother...
>
> I seems that I was looking for something that I thought was missing, but
> when you prompted me to add up the numbers, while I can only account for
> about half the totals with the top 50, it's clear that there aren't any
> errors in the log reporting and indeed this was a bad day (not that the mail
> server really minded, its load average is below 0.20 typically, but moving
> as much mail in a day than sourceforge seemed weird...)
>
> Thanks for poking a stick at the logs.
>
> Marc
>
--