Sorry - not ISP - shared web host provider. There's only one e-mail account - mine! I use my laptop and iphone to access via IMAP. The attached file shows the recorded usage in August, Sept and October

Attached Thumbnails

 

I'd politely ask tech support for your web hosting to query the server logs for any IP that is not yours (laptop and iphone) using the IMAP protocol.

or if you have access to that... maybe we can peek at the log to see what is what...?

It's been 2+ years that I've had to dive into a cPanel host, so it this info may even be in cPanel on your host.

Seems you have to contact them now since your webpage declares "Bandwidth Limit Exceeded"

http://www.google.com/safebrowsing/d...e=92.48.90.132 says the IP is clean.

http://www.google.com/safebrowsing/d...radkonsult.com says your domain name is clean.
61 G is a little "off". is that for both domains in the graphic?

Others may have another analysis.

Sorry, if that's not more helpful.

1 members found this post helpful.

It's very likely that control-panel software is being used as the attack vector. Most unfortunately, that's very easily done. I wasn't paying close attention to a dedicated-server a few months ago (set it up in-haste ...) and that's exactly how it was penetrated; root-kitted, even.

Thanks Habitual, very helpful, they did mail me a link to a log file, but guess what? It's on my server! So I currently can't access, I do remember that it was very small, only from today and only seemed to contain stuff I'd been e-mailing, so not much help. I'm currently waiting for the 'Senior Technical Support' to update me on this issue.

I suppose there might be a bug in their accounting software?

Dunno about bugs.
Ask them to mail you the log to some other email address NOT hosted on that server.

Also, ask them if 15G is "normal" for an IMAP account being used by a laptop and iphone setup/configuration.
It seems a little "excessive" to me. POP[3] yes, IMAP, not so sure.

Here's the logfile - the funny thing is that my e-mail is still working, so I guess the IMAP traffic's still going up, which makes a bit of a mockery of their 'controls'

You don't know any good providers in Scandanavia?

Attached Files

EmalLogs.txt (2.5 KB, 18 views)

The provided log is too short and it only shows 1 day's? email with 12 log entries.
It doesn't contain anything other than exim (Mail Transport Agent, or MTA) strings and codes.

I'd ask them to provide an accurate bandwidth Report and I wouldn't settle on pretty graphics either. Tell them your accountant wants them. Reports not Graphs

Sep = 61.88 Megs
Oct = 15.04 Gigs

So, it is my estimate with what details I have here, that unless tradkonsult.com does LOTS of emailing, there seems to be a disconnect with 15.04 Gigs of "usage" over IMAP.

Other opinions may offer more help.

1 members found this post helpful.

Hi Habitual,

I do very little mailing (20ish per day). Interestingly 'bandwidth' went up by nearly 4GB last night when my site was blocked, my computers/phone off and me in bed! So at least the provider now seems to be focussing in the right area - they've restored my site and say that they're logging the mail traffic. Nice tip about the report - I'll try that, and post anything I get here.

It's been quite a learning curve, and I've realised I really don't need joomla for my little site, so will rework in php/html with no db. Should be pretty secure, eh?

Well, even html can be "abused" but the
likelihood of occurrence diminishes if you don't use products like Joomla! or WP.

I am not bashing either of those 2 products, but using either with 3rd party addons does pose significant risk of being abused.

Bandwidth going "up" even when your page says "Bandwidth Limit Exceeded" certainly is intriguing.

Please let us know and Have a Great Day!

1 members found this post helpful.

Got this reply from provider's support:

"I have investigated the issue on server and it seems IMAP usage for your domain is increased due to email service on server swaitched from courier to dovcot.
Temporarily I have increased bandwidth for your domain so that you will not face bandwidth exceed message on site.
Also while monitoring the logs on server there is no spamming found from your account."

Not quite sure what this means, but sounds like they're admitting it's a problem they've created?

"courier to dovcot. Temporarily I have increased bandwidth for your domain"
Temporarily? and then?

I can only presume that:
Sep = 61.88 Megs = courier
Oct = 15.04 Gigs = dovecot

If memory serves me correctly, we had an issue like this over at Hostforweb.com and if my memory serves well, I think they had to re-run quotas for all Whm/Cpanel accounts.
They switched to dovecot also and smth just like this event occurred also.

I hate cPanel.

1 members found this post helpful.

Shame it takes them so long to work this out - i.e. since last Thursday, plus they made me pay for an upgrade. I've asked them your question, plus asked for a refund. Will let you know what they say.

It means a Level I tech support answer. But I don't think it is a canned response due to the mis-spelling of "swaitched" and "dovcot".
"Temporary..." he or she said also says I have no power but to act on this ticket. Temporary is a band-aid.

Temporary is unacceptable and you should more than ask for a refund, I'd ask for Credit.
The hosting "game" is chock full of willing businesses that would not charge you for an upgrade you had no control over, so why should your current provider? Did you order the upgrade to dovecot?
Is there a Billing Code for an upgrade to dovecot? Was notification sent to the (no doubt) 100s+ of shared hosting accounts about this (planned?) upgrade?

They blew up your bandwidth, not you.

Also ask if the "trend" of 15.04 Gigs usage for what little email you do send, the the "new normal" for dovecot.

Just like this forum is great for all things Linux, I'd like to suggest another high-power site called http://www.webhostingtalk.com/

The hosting business companies and practices can be compared there.

Have a Great Day.

1 members found this post helpful.

IMHO these quotes represent the core problem:
- Being new to Linux is not a problem but neither should it be used as an excuse. The question is if the you want to learn to use Linux like it is intended or not. If you don't then similar or worse problems may creep up elsewhere without noticing until it's (again) too late.
- Low-cost hosting providers and resellers pitch Linux + web-based management as cheap, easy and convenient without mentioning that's only the case for those that already possess enough Linux knowledge to understand the consequences. Without Linux (admin) knowledge the only thing those users are is easy prey.
- Unless you've got a bare bones contract unsupportive parties are usually a good indication of them being understaffed but more likely they are focused (on your money I mean), flaky, negligent. Apart from accepting an upgrade based on no evidence at all being a poor (business) choice, it also constitutes some basic form of agreement. (And while this thread started off well by asking for log files IMHO there has been too much speculation for my taste.) And I strongly doubt without proper log file evidence requesting remediation may be a possibility. I'd suggest you invest in gaining enough Linux admin knowledge to know what you're doing, chalk this one up as a lesson learned, vote with your wallet and move on.


*One note: best not use .htaccess files for blocking hosts: it's a performance drain, it's inefficient, slow. If you must block IP addresses use the Netfilter raw table PREROUTING chain, or more efficient (if your machine provides it), an ipset.

Have to disagree unSpawn - I think the 'core' problem lay with my web hosting provider. I take your point re. logs, but as they wouldn't forward them to me, what could I do? I'm very grateful for the help I received here, which has helped me in my dealings with the provider. I just received this from them:

"As we have switch the server from courier to dovcot all of the courier logs has been cleared. Switching mail servers may cause some mail clients to redownload all stored mail messages for the account. This is primarily is seen with POP3 configured accounts, which sometimes usages the bandwidth.

Please accept my sincere apologies for the inconvenience caused to you. The bandwidth limit will be reset tomorrow for all f the accounts on server and you should not face any more problems."

so I'll mark the thread as solved.
Thanks again all!