dovecot - Mar 2017 - dovecot POP3 log shows too many identical RETR entries

Hello,

Dovecot log is showing too many POP3 RETR entries which are identical 
lines. I also suspect that it is causing high pop traffic eating most of 
the network bandwidth. Here are some of the lines out of 11009 in a 
day.  Such pattern is observed only for few users. dovecot version is 
2.1.17.

=============Mar 20 00:00:07 pi3 dovecot: pop3(user at example.com):
Disconnected:
Logged out top=0/0, retr=1/64014, del=0/1429, size=478762716
Mar 20 00:00:07 pi3 dovecot: pop3-login: Login: user=<user at
example.com>,
method=PLAIN, rip=43.243.173.97, lip=192.168.1.18, mpid=26645, secured, 
session=<5CGrmRlLyAAr861h>
Mar 20 00:00:10 pi3 dovecot: pop3(user at example.com): Disconnected: 
Logged out top=0/0, retr=1/64014, del=0/1429, size=478762716
Mar 20 00:00:11 pi3 dovecot: pop3-login: Login: user=<user at
example.com>,
method=PLAIN, rip=43.243.173.97, lip=192.168.1.18, mpid=29932, secured, 
session=<k6/gmRlL3gAr861h>
Mar 20 00:00:12 pi3 dovecot: pop3(user at example.com): Disconnected: 
Logged out top=0/0, retr=1/64014, del=0/1429, size=478762716
Mar 20 00:00:13 pi3 dovecot: pop3-login: Login: user=<user at
example.com>,
method=PLAIN, rip=43.243.173.97, lip=192.168.1.18, mpid=26819, secured, 
session=<3DX6mRlLUQAr861h>
Mar 20 00:00:14 pi3 dovecot: pop3(user at example.com): Disconnected: 
Logged out top=0/0, retr=1/64014, del=0/1429, size=478762716
Mar 20 00:00:15 pi3 dovecot: pop3-login: Login: user=<user at
example.com>,
method=PLAIN, rip=43.243.173.97, lip=192.168.1.18, mpid=9636, secured, 
session=<x5ghmhlLjwAr861h>
Mar 20 00:00:16 pi3 dovecot: pop3(user at example.com): Disconnected: 
Logged out top=0/0, retr=1/64014, del=0/1429, size=478762716
Mar 20 00:00:17 pi3 dovecot: pop3-login: Login: user=<user at
example.com>,
method=PLAIN, rip=43.243.173.97, lip=192.168.1.18, mpid=4585, secured, 
session=<8Yw+mhlL0AAr861h>
Mar 20 00:00:18 pi3 dovecot: pop3(user at example.com): Disconnected: 
Logged out top=0/0, retr=1/64014, del=0/1429, size=478762716
Mar 20 00:00:18 pi3 dovecot: pop3-login: Login: user=<user at
example.com>,
method=PLAIN, rip=43.243.173.97, lip=192.168.1.18, mpid=30049, secured, 
session=<UsJOmhlLmAAr861h>
Mar 20 00:00:19 pi3 dovecot: pop3(user at example.com): Disconnected: 
Logged out top=0/0, retr=1/64014, del=0/1429, size=478762716
Mar 20 00:00:20 pi3 dovecot: pop3-login: Login: user=<user at
example.com>,
method=PLAIN, rip=43.243.173.97, lip=192.168.1.18, mpid=9636, secured, 
session=<B6VimhlLNgAr861h>
Mar 20 00:00:20 pi3 dovecot: pop3(user at example.com): Disconnected: 
Logged out top=0/0, retr=1/64014, del=0/1429, size=478762716
Mar 20 00:00:20 pi3 dovecot: pop3-login: Login: user=<user at
example.com>,
method=PLAIN, rip=43.243.173.97, lip=192.168.1.18, mpid=4584, secured, 
session=<pVpxmhlLPwAr861h>
Mar 20 00:00:21 pi3 dovecot: pop3(user at example.com): Disconnected: 
Logged out top=0/0, retr=1/64014, del=0/1429, size=478762716
Mar 20 00:00:23 pi3 dovecot: pop3-login: Login: user=<user at
example.com>,
method=PLAIN, rip=43.243.173.97, lip=192.168.1.18, mpid=4585, secured, 
session=<MlGam
=============
What could be the possible reason?

Thanks,
Bappasaheb

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tue, 21 Mar 2017, Bappasaheb Nirmal wrote:
> Dovecot log is showing too many POP3 RETR entries which are identical
lines.
> I also suspect that it is causing high pop traffic eating most of the
network
> bandwidth. Here are some of the lines out of 11009 in a day.  Such pattern
is
> observed only for few users. dovecot version is 2.1.17.
>
> =============> Mar 20 00:00:07 pi3 dovecot: pop3(user at example.com):
Disconnected: Logged out
> top=0/0, retr=1/64014, del=0/1429, size=478762716
> Mar 20 00:00:07 pi3 dovecot: pop3-login: Login: user=<user at
example.com>,
> method=PLAIN, rip=43.243.173.97, lip=192.168.1.18, mpid=26645, secured, 
> session=<5CGrmRlLyAAr861h>
> Mar 20 00:00:10 pi3 dovecot: pop3(user at example.com): Disconnected:
Logged out
> top=0/0, retr=1/64014, del=0/1429, size=478762716
> Mar 20 00:00:11 pi3 dovecot: pop3-login: Login: user=<user at
example.com>,
> method=PLAIN, rip=43.243.173.97, lip=192.168.1.18, mpid=29932, secured, 
> session=<k6/gmRlL3gAr861h>
> =============>
> What could be the possible reason?
stating the obvious: it looks like normal POP3 polling with abnormal short 
interval.

To verify the guess sniff the network traffic, if the clients open a 
connection in that short time. If so, check out the users devices, why the 
client is polling so often.

- -- 
Steffen Kaiser
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEVAwUBWNIosnz1H7kL/d9rAQIPkwf/QtvBFJTlC/ldSriN7yFfvhqwwHSkr1xo
4QyO05oyTAewnR0b6fvWTM9/RJxye8pDqijxDDAbH+NhsUOanmHEW+5VAERt1Qaw
yij7jnJ4UQTpmTAgi1Esw87da5eHtiVrYI+v4Z+Xceh1NNzk+MZL7nqBYtztE3C/
9D1BprkKgEVCJPi5MnNBN4n2pQSlGO9WmOpdsELYOnJ5ekp0VpkSO4xk90t347uy
pDR77Ao61UBXPYtMnBOO5NDjjcduLSd0tTpWyGIlkLomcK0FSgZpblC/GQ7awnO8
MFtcBBMb3nstIjAJyx6h7jS0zLG3Uadsnc/DbGJnu0PRsgTMgwMSkg==vUqj
-----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wed, 22 Mar 2017, Steffen Kaiser wrote:
> On Tue, 21 Mar 2017, Bappasaheb Nirmal wrote:
>
>> Dovecot log is showing too many POP3 RETR entries which are identical 
>> lines.
>> I also suspect that it is causing high pop traffic eating most of the 
>> network
>> bandwidth. Here are some of the lines out of 11009 in a day.  Such
pattern
>> is
>> observed only for few users. dovecot version is 2.1.17.
>> 
>> =============>> Mar 20 00:00:07 pi3 dovecot: pop3(user at
example.com): Disconnected: Logged
>> out
>> top=0/0, retr=1/64014, del=0/1429, size=478762716
>> Mar 20 00:00:07 pi3 dovecot: pop3-login: Login: user=<user at
example.com>,
>> method=PLAIN, rip=43.243.173.97, lip=192.168.1.18, mpid=26645, secured,
>> session=<5CGrmRlLyAAr861h>
>> Mar 20 00:00:10 pi3 dovecot: pop3(user at example.com): Disconnected:
Logged
>> out
>> top=0/0, retr=1/64014, del=0/1429, size=478762716
>> Mar 20 00:00:11 pi3 dovecot: pop3-login: Login: user=<user at
example.com>,
>> method=PLAIN, rip=43.243.173.97, lip=192.168.1.18, mpid=29932, secured,
>> session=<k6/gmRlL3gAr861h>
>> =============>> 
>> What could be the possible reason?
>
> stating the obvious: it looks like normal POP3 polling with abnormal short
> interval.
>
> To verify the guess sniff the network traffic, if the clients open a
> connection in that short time. If so, check out the users devices, why the
> client is polling so often.
Oh, forgot to mention:

looks like that the client downloads the same message of 456MB each time 
again?

- -- 
Steffen Kaiser
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEVAwUBWNIpynz1H7kL/d9rAQKn/ggAkq4s1+BBSacoMGKtTSDuA9Hv5mcdBgLD
XYmdh3vVT9SEBLMI6OqGuaJp7OOEfEjPHqBKgwaxieRh4zIyoRlU1K+4nCqmI2tZ
8BADHyEd9DVJ0JY3PWdV9rAXvrCjX4SUbQwrpG+rCLe2WmuzrPPq5n4+o6AofEBh
LEUIqPdB9q964lymvYr8LW1GHqhcK2y3G1pGVgVpL4hZIQNfTlid0eO2D9CyA2nY
nI3fa4QvjHfDH09OSQsgfQedJqNL/G6QqNaO1jFm/nypZWb31RMOy35Njhee3OiM
nxnxzSqbyaBWSsV1dmRKq8wAnfgXsrUuue6jFepfslBFLoHy7V7i3w==VPF9
-----END PGP SIGNATURE-----