dovecot POP3 log shows too many identical RETR entries

[Steffen Kaiser]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tue, 21 Mar 2017, Bappasaheb Nirmal wrote:

> Dovecot log is showing too many POP3 RETR entries which are identical lines. 
> I also suspect that it is causing high pop traffic eating most of the network 
> bandwidth. Here are some of the lines out of 11009 in a day.  Such pattern is 
> observed only for few users. dovecot version is 2.1.17.
>
> ==============
> Mar 20 00:00:07 pi3 dovecot: pop3(user at example.com): Disconnected: Logged out 
> top=0/0, retr=1/64014, del=0/1429, size=478762716
> Mar 20 00:00:07 pi3 dovecot: pop3-login: Login: user=<user at example.com>, 
> method=PLAIN, rip=43.243.173.97, lip=192.168.1.18, mpid=26645, secured, 
> session=<5CGrmRlLyAAr861h>
> Mar 20 00:00:10 pi3 dovecot: pop3(user at example.com): Disconnected: Logged out 
> top=0/0, retr=1/64014, del=0/1429, size=478762716
> Mar 20 00:00:11 pi3 dovecot: pop3-login: Login: user=<user at example.com>, 
> method=PLAIN, rip=43.243.173.97, lip=192.168.1.18, mpid=29932, secured, 
> session=<k6/gmRlL3gAr861h>
> ==============
>
> What could be the possible reason?

stating the obvious: it looks like normal POP3 polling with abnormal short 
interval.

To verify the guess sniff the network traffic, if the clients open a 
connection in that short time. If so, check out the users devices, why the 
client is polling so often.

- -- 
Steffen Kaiser
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEVAwUBWNIosnz1H7kL/d9rAQIPkwf/QtvBFJTlC/ldSriN7yFfvhqwwHSkr1xo
4QyO05oyTAewnR0b6fvWTM9/RJxye8pDqijxDDAbH+NhsUOanmHEW+5VAERt1Qaw
yij7jnJ4UQTpmTAgi1Esw87da5eHtiVrYI+v4Z+Xceh1NNzk+MZL7nqBYtztE3C/
9D1BprkKgEVCJPi5MnNBN4n2pQSlGO9WmOpdsELYOnJ5ekp0VpkSO4xk90t347uy
pDR77Ao61UBXPYtMnBOO5NDjjcduLSd0tTpWyGIlkLomcK0FSgZpblC/GQ7awnO8
MFtcBBMb3nstIjAJyx6h7jS0zLG3Uadsnc/DbGJnu0PRsgTMgwMSkg==
=vUqj
-----END PGP SIGNATURE-----