[PLUG] Quick And Dirty Network Profiling

Jason Van Cleve jason at vancleve.com
Tue Sep 7 12:52:02 PDT 2004

First off, I am not a system admin', but I rent a server on
SprocketData.  Normally, I use about 0% of my included bandwidth, but
last month I used nearly ten gig's, around nine of which were consumed
between August 17th and August 19th.  The trend this month is also
disturbing.  So evidently I've picked up some species of parasite.

I ran chkrootkit, and no problems showed up; and my FTP system looks to
be in order.  (I know, FTP is "bad", but it hasn't been a problem.)

So I'm guessing someone has figured out how to spam through my SMTP
relay, but with so much spam bouncing around, it's hard to tell from my
mail logs what's going on.  I'm just not sure how to diagnose this, and
I'd appreciate some pointers.

To begin with, I'd like a quick and dirty network monitor by which I can
see where all that bandwidth is going.  A high-level, packets-per-port
type thing will do, something I can run for a few days and then check
the averages.  Could just be that someone has found something they liked
in one of my Web sites and told all their friends. . . .

If I determine it is indeed my mail service, how might I determine how
it's being abused?  I run postfix 1.1.11 on this Mandrake 9.1.I.think
system.  For all I know, it could be one of my few mail users trying to
send a really big attachment, or something like that, but I rather
suspect it's a spammer.

Any advice for a simple programmer?  Thanks,

--Jason Van Cleve

Due to management cuts, the light at the end of the tunnel will now be
switched off.

More information about the PLUG mailing list