cPanel Server IP On Spam List
So I'm looking for guidance as I'm getting reports that our IP address is being flagged as spam.
Now this cPanel system has only about 20 accounts, 19 of which are mine and I know for sure that I'm not sending any mailings.
So I'm trying to figure out where this spamming attempts are "supposedly" coming from and verify if there is indeed something on the server side that is being exploited for mailing.
I tried looking in the Mail Delivery Reports "This screen allows you to find and review messages sent from and received by your server."
The only one that has a lot of failed attempts is the -remote- however that seems to be just showing email that failed to be delivered inbound to my server.
So what's the recommended action for fleshing out where this spam "could" coming from if the IP is being blacklisted?
I've also looked over cPanels guide for recommended mail settings such as SMTRP, etc.. I already have mail limited and SMTRP secured
-
To clarify, your server's IP address being flagged as spam has nothing to do with cPanel at all. This is most commonly associated with an IP address or a domain. It's possible your provider's entire netblock was added to a spam list without your knowledge as well. To help you get to the cause of the issue: Where are you being flagged as spam? Is your IP on an RBL? Having mail limited is great but are you following best practices for mail delivery? This includes having valid DKIM, PTR and SPF records for all domains and IP's on the server. 0 -
To clarify, your server's IP address being flagged as spam has nothing to do with cPanel at all. This is most commonly associated with an IP address or a domain. It's possible your provider's entire netblock was added to a spam list without your knowledge as well. To help you get to the cause of the issue: Where are you being flagged as spam? Is your IP on an RBL? Having mail limited is great but are you following best practices for mail delivery? This includes having valid DKIM, PTR and SPF records for all domains and IP's on the server.
It's not being listed by most results when I checked. However the specific lists I got a bounce back from; Thank you for contacting Spamhaus CSS Removals, We have reviewed the CSS listing for xx and are retaining that listing at this time. We do not discuss criteria for inclusion in the CSS. However, it includes many factors. This IP address matches several of those criteria. ---- Another was - blocked using antispam.fasthosts.co.uk -- I understand that the problem isn't directly related to cPanel its self, however I'm trying to find the best way to verify and see where this issue is. IE if the cPanel server its self is compromised sending unsolicited mailings, if someone is some how using it remotely.0 -
May I recommend setting up mail server to use SendGrid. I recently experienced a similar issue with Microsoft giving me the run around. Sendgrid routing has helped. 0 -
When looking into email deliverability in WHM it says Mail HELO The name by which the server identifies itself when sending mail from "cpanel1.serverdomain.com". text.schnellrund.com This domain is not associated with the server in any way. So where is this value coming from? When I look up that URL on google it comes back as a known spamming host 0 -
Checking further Exim_mainlog has; 2020-03-08 04:15:33 SMTP connection from [193.56.28.190]:48952 (TCP/IP connection count = 1) 2020-03-08 04:15:33 no host name found for IP address 193.56.28.190 2020-03-08 04:15:34 SMTP connection from (ADMIN) [193.56.28.190]:48952 closed by QUIT 2020-03-08 04:18:34 SMTP connection from [193.56.28.190]:52400 (TCP/IP connection count = 1) 2020-03-08 04:18:34 no host name found for IP address 193.56.28.190 2020-03-08 04:18:34 SMTP connection from (ADMIN) [193.56.28.190]:52400 closed by QUIT 2020-03-08 04:19:46 SMTP connection from [127.0.0.1]:38768 (TCP/IP connection count = 1) 2020-03-08 04:19:46 SMTP connection from (localhost) [127.0.0.1]:38768 closed by QUIT 2020-03-08 04:19:49 SMTP connection from [180.70.134.101]:42934 (TCP/IP connection count = 1) 2020-03-08 04:20:09 TLS error on connection from (oneofmydomains.com) [180.70.134.101]:42934 (SSL_accept): error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol 2020-03-08 04:20:09 SMTP connection from (oneofmydomains.com) [180.70.134.101]:42934 closed by EOF 2020-03-08 04:21:35 SMTP connection from [193.56.28.190]:56100 (TCP/IP connection count = 1) 2020-03-08 04:21:35 no host name found for IP address 193.56.28.190 2020-03-08 04:21:35 SMTP connection from (ADMIN) [193.56.28.190]:56100 closed by QUIT 2020-03-08 04:24:35 SMTP connection from [193.56.28.190]:59502 (TCP/IP connection count = 1) 2020-03-08 04:24:35 no host name found for IP address 193.56.28.190 2020-03-08 04:24:36 SMTP connection from (ADMIN) [193.56.28.190]:59502 closed by QUIT 2020-03-08 04:27:31 SMTP connection from [127.0.0.1]:38818 (TCP/IP connection count = 1) 2020-03-08 04:27:31 SMTP connection from (localhost) [127.0.0.1]:38818 closed by QUIT 2020-03-08 04:27:38 SMTP connection from [193.56.28.190]:34916 (TCP/IP connection count = 1) 2020-03-08 04:27:38 no host name found for IP address 193.56.28.190 2020-03-08 04:27:38 SMTP connection from (ADMIN) [193.56.28.190]:34916 closed by QUIT 2020-03-08 04:29:48 SMTP connection from [54.240.15.31]:33254 (TCP/IP connection count = 1) 2020-03-08 04:30:28 H=a15-31.smtp-out.amazonses.com [54.240.15.31]:33254 F=<2020030801070735dfa567fd6c4efc90e2550745e0p0na-C2UGY734YJSVMI@bounces.amazon.com> temporarily rejected RCPT : Deferred due$ 2020-03-08 04:30:39 SMTP connection from [193.56.28.190]:38654 (TCP/IP connection count = 2) 2020-03-08 04:30:39 no host name found for IP address 193.56.28.190 2020-03-08 04:30:40 SMTP connection from (ADMIN) [193.56.28.190]:38654 closed by QUIT 2020-03-08 04:30:52 SMTP connection from a15-31.smtp-out.amazonses.com [54.240.15.31]:33254 closed by QUIT 2020-03-08 04:32:31 SMTP connection from [127.0.0.1]:38846 (TCP/IP connection count = 1) 2020-03-08 04:32:31 SMTP connection from (localhost) [127.0.0.1]:38846 closed by QUIT 2020-03-08 04:33:03 cwd=/var/spool/exim 2 args: /usr/sbin/exim -qG 2020-03-08 04:33:03 Start queue run: pid=25610 2020-03-08 04:33:03 End queue run: pid=25610 2020-03-08 04:33:41 SMTP connection from [193.56.28.190]:42386 (TCP/IP connection count = 1) 2020-03-08 04:33:41 no host name found for IP address 193.56.28.190 2020-03-08 04:33:42 SMTP connection from (ADMIN) [193.56.28.190]:42386 closed by QUIT 2020-03-08 04:36:43 SMTP connection from [193.56.28.190]:45970 (TCP/IP connection count = 1) 0 -
Where do you see this exactly ? Mail HELO The name by which the server identifies itself when sending mail from "cpanel1.serverdomain.com". text.schnellrund.com Also as Lauren suggested, have you applied SPF and DKIM records. 0 -
Where do you see this exactly ? Mail HELO The name by which the server identifies itself when sending mail from "cpanel1.serverdomain.com". text.schnellrund.com Also as Lauren suggested, have you applied SPF and DKIM records.
WHM > Email > Email Deliverability Also according to that same tab SFP Records and DKIM Records are indeed valid and configured From what I've read if the HELO domain doesn't match what the server is it's likely there's a rouge mail system running perhaps? But I haven't seen anything running on a mystery port0 -
what's displayed in your hostname 'networking setup > change hostname' 0 -
what's displayed in your hostname 'networking setup > change hostname'
My hostname is configured properly server side, cPanel side so it's not a misconfiguration and this host name was never used or assigned to the server. It's hard to tell if this is a host name somehow from our previous VPS provider or maybe the current dedicated provider perhaps being associated with the IP. Googling it seems to suggest it's somehow associated with ColoCrossing a Canadian based data center. But in any event searching it leads to results of spam. So this is why I'm not sure if this is a prior issue with perhaps the block I was given or if the server its self is compromised sending spam. Either way the HELO hostname is incorrect yet the server host name is configured properly. When I google text.domain.com it's reporting back that the IP is known as a spam / bot server however initial records suggest it's from 2017. However it does then go on to list current hosts associated with my IP. It looks like at one time perhaps the IP was associated with the host domain.com which no longer seems to resolve to anything. So I can't tell if this is just a case of the provider giving me a block of IPs that were priorly associated with spamming or what. However the spam listings refuse to remove us from the spam list. So obviously in that case that extends beyond a cPanel issue. So realistically I guess the question of this thread is 1) How to fix the HELO record so it's not associated with this spam domain of text.domain.com 2) How to verify if my server does have any malicious mail server running on it.0 -
I did get an alert today from CSF about a suspicious process running under one of the sites; Time: Wed Mar 11 11:00:29 2020 -0700 PID: 17205 (Parent PID:16591) Account: THECPANELUSER Uptime: 42912 seconds Executable: /usr/local/cpanel/3rdparty/perl/530/bin/perl Command Line (often faked in exploits): spamd child Network connections by the process (if any): tcp: 127.0.0.1:783 -> 127.0.0.1:36540 udp: THESERVERIP:41024 -> 1.1.1.1:53 Files open by the process (if any): /dev/null /usr/local/cpanel/logs/spamd_error_log /usr/local/cpanel/logs/spamd_error_log /usr/local/cpanel/3rdparty/perl/530/bin/spamd /var/cpanel/locale/en.cdb /home/CPANELUSER/.razor/razor-agent.log /usr/local/cpanel/3rdparty/perl/530/lib/perl5/cpanel_lib/Net/DNS/Resolver/Base.pm
The full output is attached here - Time: Wed Mar 11 11:00:29 2020 -0700 PID: 17205 (Parent PID:1659 - Pastebin.com This CSF Solution recommended for monitoring / finding out if there is indeed any suspicious activity on the server is turning out to be a real PITA. As it seems like the solution to every error that it gives is "oh just put it in ignore its suppose to do that" So how do I know if this is legitimate?0 -
Hello, This is a notification that spamd has exceeded the threshold for which CSF warns that a process has run too long. This is a false positive and can be safely ignored. CSF like many other softwares need to be configured to suit your needs, if you ever have a question about whether or not a process is legitimate feel free to ask here. 0 -
When you run the following what is output? host
Do you have anything set in/etc/mailhelo
?0 -
When you run the following what is output?
host
Do you have anything set in/etc/mailhelo
?
Running the host does return text.schnelrund.com however this has never been configured and looks to be pulling from some old information of the prior owner? Looking at /etc/mailhelo does also echo that same statement of text.schnellrund.com So that's why I'm confused as this was never configured by me so is this something that auto populates or is there a possible malicious thing that has modified it?0 -
Are you by chance on a VZ server or other VPS? If so the container name is set by the host node and this is probably resetting your hostname to the container name. You'd need to talk to your hosting provider to get this changed to the hostname you have set. 0 -
Are you by chance on a VZ server or other VPS? If so the container name is set by the host node and this is probably resetting your hostname to the container name. You'd need to talk to your hosting provider to get this changed to the hostname you have set.
We are running on an ESXi instance, however we manage the host, which is named the correct hostname. This schnelrund.com has no association with us or the current hardware. From the research this IP block years ago was used by someone with that domain. So now I wonder though if I should have us moved to a different block as it seems to priorly have been known to be an exploited block back in 20170 -
Hello, For starters I'd remove the entry added to /etc/mailhelo
Second, it's likely that there's a PTR record in place for the IP that resolves to the old hostname that was never changed to reference the new domain.0 -
So we've changed our IP block as it seems that block was associated with a prior botnet / spam range from 2018. Spamhaus however insists that they've received active reports over the past 3 months, however they refuse / can't provide any information to assist tracking it down. Also right after changing our IP block the datacenter flagged the new IP address and null routed it saying it detected a large volume of mail. However yet again they also can't provide any information as to what the mailings were or what address they may be coming from. ----- I've logged into the server and come back with the following; [root@cpanel ~]# grep cwd /var/log/exim_mainlog | grep -v /var/spool | awk -F"cwd=" '{print $2}' | awk '{print $1}' | sort | uniq -c | sort -n 2 /home/site1/public_html 4 /usr/local/cpanel/whostmgr/docroot 7 /home/site2/public_html 7 /home/site3/public_html 8 /root 26 /home/site1/whmcsdata/crons 36 /home/site5/public_html/forums 1128 /etc/csf ------- My understanding is this will list all accounts / the highest mail senders from scripts? If so all look normal, except questionably the CSF one. And CSF was only installed in the past month, the email its sending the alerts to is an internal email on the cPanel server so I wouldn't even think it would be going out and seen by the datacenter firewall? However that's just sending a bunch of alert emails it would seem to my email address and thus not spam or being flagged as spam? So near as I can tell there's not a cPanel account mass mailing if I'm reading that correct? Is it saying there were 2 emails sent from Site1, ---- Looking in WHM at the mail statistics - Top 50 local senders by message count (Back To Top)
And again none of those statistics seem odd? If I'm understanding correctly. Using the command grep "<= root\@" /var/log/exim_mainlog | awk -F"T=\"" '/<=/ {print $2}' | sort | uniq -c | sort -n Doesn't come back with any suspicious subjects, 99% of what's there is just the CSF subjects about resource uses etc... Tailing the exim_mainlog just to see the most recent entries; [root@cpanel ~]# tail /var/log/exim_mainlog 2020-03-25 23:27:07 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1jHLys-0004RQ-Jr 2020-03-25 23:27:07 1jHLys-0004RQ-Jr SMTP connection identification D=DOMAINONSERVER.com O=USER@DOMAINONSERVER.com E=SITEadmin@HOST.CPANELHOST.com M=1jHLys-0004RQ-Jr U=SITEadmin ID=1020 B=redirect_resolver 2020-03-25 23:27:07 1jHLys-0004RQ-Jr Sender identification U=SITEadmin D=DOMAINONSERVER.com S=USER@DOMAINONSERVER.com 2020-03-25 23:27:07 1jHLys-0004RQ-Jr => SITEadmin+spam (SITEadmin@HOST.CPANELHOST.com) R=localuser T=dovecot_delivery C="250 2.0.0 Do9XOjtLfF7WQgAAFg9zRg Saved" 2020-03-25 23:27:07 1jHLys-0004RQ-Jr Completed 2020-03-25 23:27:08 SMTP connection from (adomain.com) [removedIP]:60486 closed by QUIT 2020-03-25 23:28:22 cwd=/etc/csf 2 args: /usr/sbin/exim -bpc 2020-03-25 23:28:40 SMTP connection from [removedIP]:58116 (TCP/IP connection count = 1) 2020-03-25 23:28:40 no host name found for IP address removedIP 2020-03-25 23:28:41 SMTP connection from (ADMIN) [removedIP]:58116 closed by QUIT So I'm not sure on the exim log here why there's this email going to the Siteadmin@HOST.CPANELHOST.COM that address is basically just the default catch all email (there's no other email accounts on that domain), this domain also isn't listed in the mail logs as being one that's sending a lot. Also not sure what the SMTP connection from adomain.com at that IP is nor the REMOVEDIP IP address that's saying SMTP connection from (ADMIN) REMOVEDIP What are these SMTP connections from (Admin) or SMTP Connection From (IP address):PORT ? Is this something authenticating and trying to send out mail or is this just saying there's a SMTP connection coming in sending mail into the server? 2020-03-25 23:32:30 SMTP connection from (ADMIN) [REMOVEDIP]:36790 closed by QUIT 2020-03-25 23:33:20 SMTP connection from [removedIP]:6954 (TCP/IP connection count = 1) 2020-03-25 23:33:20 SMTP connection from (swim.domain.com.) [REMOVEDIP]:6954 lost D=0s 2020-03-25 23:33:23 cwd=/etc/csf 2 args: /usr/sbin/exim -bpc 2020-03-25 23:36:22 SMTP connection from [removedIP]:43738 (TCP/IP connection count = 1) 2020-03-25 23:36:22 no host name found for IP address 2020-03-25 23:36:23 SMTP connection from (ADMIN) [removedIP]:43738 closed by QUIT 2020-03-25 23:38:23 cwd=/etc/csf 2 args: /usr/sbin/exim -bpc 2020-03-25 23:38:24 SMTP connection from [127.0.0.1]:57068 (TCP/IP connection count = 1) 2020-03-25 23:38:24 SMTP connection from (localhost) [127.0.0.1]:57068 closed by QUIT [root@cpanel ~]# Unfortunately I'm just grasping at straws here trying to give you guys some info to see if I can actually find out if there is any spamming coming from rouge sources.Messages Bytes Average Local sender 36 54KB 1536 Site5 34 202KB 6083 root 29 299KB 10KB Site1 27 120KB 4551 mailnull 7 32KB 4681 Site3 7 6350 907 Site2 0 -
None of this looks odd at all. Furthermore, if CSF is sending to an address that is internal (i.e., resides on the server) it'd be considered local mail and doesn't leave the server to be sent. The command you're running to output the mail stats is correct, but keep in mind it's only going to show mail originating from scripts. Are you aware if you're archiving exim's logs? If so you'll want to search from the date the IP Block was changed until present and it's possible those logs could be archived in /var/log/ We use the following to break get a break down (it tallies up mail by email account and by user for script mail) perl <(curl -s https://raw.githubusercontent.com/cPanelTechs/SSE/master/sse.pl) -s
An example from my test server:[root@server ~]# perl <(curl -s https://raw.githubusercontent.com/cPanelTechs/SSE/master/sse.pl) -s Emails by user: 10 : root 8 : lauren 6 : mailnull =================== Total: 24 =================== Email accounts sending out mail: 31 : __cpanel__service__auth__icontact__eqs_gh5rptspda42 =================== Total: 31 =================== Directories mail is originating from: 6 : /root =================== Total: 5 =================== Top 20 Email Titles: 6 : Mail delivery failed: returning message to sender 4 : Cron /usr/sbin/csf -u 4 : Software Updates (server.myhost.us) 4 : [server.myhost.us] cPanel & WHM update failure in upcp script 3 : [server.myhost.us] cPanel version change from \342\200\23411.86.0.16\342\200\235 to \342\200\23411.87.9999.92\342\200\235 failed 2 : JetApps - jetbackup Update Failed on server.myhost.us 1 : [server.myhost.us] Altered RPMs found. =================== Total: 23 ===================0 -
Ok great, I think I've been able to narrow it down some more using your command I'm going to continue monitoring and will let you guys know how I made out. Is there a way to make exim start a new log manually and archive the old one so I can more easily keep track of Subject line counts for example? I did see a bunch of emails (not a large quantity but about 30 that were sent over a week time since the log started) with the same subject line, they were sending from cpaneluser@cpanel.host.com Is it possible to stop scripts from sending out as the main server hostname or will they always be sent that way if a script is doing it? 0 -
30 messages would not have done this and quite frankly I believe if your provider is indicating that you did send this mail they should be able to provide you evidence as such. The mail from the server can't be changed to reflect differently (coming from cpaneluser@ etc.) but that would *not* have caused your server to be flagged as sending spam mail. You can backup the current exim log and clear it out by doing the following: cp exim_mainlog exim_mainlog.bk
cat /dev/null > /var/log/exim_mainlog
You can also compress the backed up exim mainlog to keep it archived if you like as well:gzip exim_mainlog.bk0 -
30 messages would not have done this and quite frankly I believe if your provider is indicating that you did send this mail they should be able to provide you evidence as such. The mail from the server can't be changed to reflect differently (coming from cpaneluser@ etc.) but that would *not* have caused your server to be flagged as sending spam mail. You can backup the current exim log and clear it out by doing the following:
cp exim_mainlog exim_mainlog.bk
cat /dev/null > /var/log/exim_mainlog
You can also compress the backed up exim mainlog to keep it archived if you like as well:gzip exim_mainlog.bk
Yeah it's driving me crazy finding what / if, is the actual culprit. Spamhaus has refused to answer my requests; basically I submit the request to be unblocked go through the process they email me back saying no they won't remove it. I respond back asking if they can provide any further details so I can investigate. Then they go silent and refuse to respond to follow ups. I've submitted the request to them 3 different times with the old IP and each time that's been the result. The dedicated provider I asked for further clarification as they said it was a quantity based block on the IP from the other day, so I asked if they could provide me with any statistics, count of email, anything and they said they'd review and follow up. Their follow up was ok we've just whitelisted your IP so it doesn't get blocked again. I've archived the existing log so I can continue to monitor over the weekend. Thanks for the help0 -
Don't wanna knock your choice in hosting, as I use them, as well, but there are definitely some problems there. They have a bad habit of null-routing anyone who sends mail from their own servers. You'll need to contact them to get them to whitelist you on their very mis-configured anti-spam server (which notifies other blacklists). The schnellrund.com thing happens because they are leaving that domain in the PTR records. You'll have to login to Surge, go down to IP addresses at the bottom left and you'll be able to change the names and get rid of that mess (it was a straight-up spam domain, and continues to be blocked because it no longer exists). What helps when you're talking to these blacklists is to be specific and let them know when you took over the IP's. Spamhaus, especially are pretty quick to fix it if you're proactive like that. If you come off frustrated, they'll aim it right back at you. Hope that's helpful. Good luck! 0 -
how do you guys open the exim_mailog? what is the command do you use to open to read exim_maillog? 0 -
So just a little side note / question, over the past day I've been getting (yet more alerts from CSF) this time about mailman so just want to check to see if these are things I should be concerned about as they weren't happening before. Time: Sat Apr 4 23:27:00 2020 -0700 Account: mailman Resource: Process Time Exceeded: 9030 > 1800 (seconds) Executable: /usr/bin/python2.7 Command Line: /usr/bin/python2 /usr/local/cpanel/3rdparty/mailman/bin/qrunner --runner=BounceRunner:0:1 -s PID: 2299 (Parent PID:2286) Killed: No Time: Sat Apr 4 23:27:00 2020 -0700 Account: mailman Resource: Process Time Exceeded: 9030 > 1800 (seconds) Executable: /usr/bin/python2.7 Command Line: /usr/bin/python2 /usr/local/cpanel/3rdparty/mailman/bin/qrunner --runner=OutgoingRunner:0:1 -s PID: 2303 (Parent PID:2286) Killed: No I keep getting them in batches of about 10 with different commands. They seem to be coming in on the hour on the dot 0 -
So looking into it further mailman is used only for mailing lists? So I'm not sure why it's getting excessive resource use. We don't have any mailing lists and looking at the mailing log still shows no suspicious mailings that would be using that. However CSF is hammering me with mail every hour warning about this. I know I can just disable the alert but I'd like to figure out what's causing the script to hang or for that matter if it is hanging or if it's just suppose to always run? In either event I didn't get these errors until this week. So just something new to add to the pile 0 -
This is a process time warning, just meaning the process has been running longer than CSF's threshold for notifying. Those two processes the outgoing runner and the bounce runner are both associated with outbound mailing list mail. If you're getting 10 notifications I'd bet they're for these processes (from my own server): [root@server ~]# ps faux |grep mailman mailman 947 0.0 0.0 233664 672 ? Ss 06:33 0:00 /usr/bin/python2 /usr/local/cpanel/3rdparty/mailman/bin/mailmanctl -s start mailman 951 0.0 0.0 231324 3452 ? S 06:33 0:03 \_ /usr/bin/python2 /usr/local/cpanel/3rdparty/mailman/bin/qrunner --runner=ArchRunner:0:1 -s mailman 952 0.0 0.1 231360 5516 ? S 06:33 0:03 \_ /usr/bin/python2 /usr/local/cpanel/3rdparty/mailman/bin/qrunner --runner=BounceRunner:0:1 -s mailman 953 0.0 0.1 231376 5444 ? S 06:33 0:03 \_ /usr/bin/python2 /usr/local/cpanel/3rdparty/mailman/bin/qrunner --runner=CommandRunner:0:1 -s mailman 954 0.0 0.1 231672 7876 ? S 06:33 0:03 \_ /usr/bin/python2 /usr/local/cpanel/3rdparty/mailman/bin/qrunner --runner=IncomingRunner:0:1 -s mailman 955 0.0 0.0 231436 3460 ? S 06:33 0:03 \_ /usr/bin/python2 /usr/local/cpanel/3rdparty/mailman/bin/qrunner --runner=NewsRunner:0:1 -s mailman 957 0.0 0.2 231752 8788 ? S 06:33 0:03 \_ /usr/bin/python2 /usr/local/cpanel/3rdparty/mailman/bin/qrunner --runner=OutgoingRunner:0:1 -s mailman 958 0.0 0.1 231376 7356 ? S 06:33 0:03 \_ /usr/bin/python2 /usr/local/cpanel/3rdparty/mailman/bin/qrunner --runner=VirginRunner:0:1 -s mailman 960 0.0 0.0 231376 3456 ? S 06:33 0:00 \_ /usr/bin/python2 /usr/local/cpanel/3rdparty/mailman/bin/qrunner --runner=RetryRunner:0:1 -s
The only mailman related change I see in the changelogs is here 86 Change Log | cPanel & WHM Documentation and I don't believe this would cause any changes in behavior for the service.- When you run the same command as I did how long does it show you the process has been running?
- When you go to WHM>>Service Configuration>>Service Manager is mailman shown as being enabled and monitored? I'd assume it's listed as enabled but I'm primarily curious about its being monitored as this would allow for it to be restarted in the event it did stall and chkservd wasn't able to obtain a response from the service.
0 -
This is a process time warning, just meaning the process has been running longer than CSF's threshold for notifying. Those two processes the outgoing runner and the bounce runner are both associated with outbound mailing list mail. If you're getting 10 notifications I'd bet they're for these processes (from my own server):
[root@server ~]# ps faux |grep mailman mailman 947 0.0 0.0 233664 672 ? Ss 06:33 0:00 /usr/bin/python2 /usr/local/cpanel/3rdparty/mailman/bin/mailmanctl -s start mailman 951 0.0 0.0 231324 3452 ? S 06:33 0:03 \_ /usr/bin/python2 /usr/local/cpanel/3rdparty/mailman/bin/qrunner --runner=ArchRunner:0:1 -s mailman 952 0.0 0.1 231360 5516 ? S 06:33 0:03 \_ /usr/bin/python2 /usr/local/cpanel/3rdparty/mailman/bin/qrunner --runner=BounceRunner:0:1 -s mailman 953 0.0 0.1 231376 5444 ? S 06:33 0:03 \_ /usr/bin/python2 /usr/local/cpanel/3rdparty/mailman/bin/qrunner --runner=CommandRunner:0:1 -s mailman 954 0.0 0.1 231672 7876 ? S 06:33 0:03 \_ /usr/bin/python2 /usr/local/cpanel/3rdparty/mailman/bin/qrunner --runner=IncomingRunner:0:1 -s mailman 955 0.0 0.0 231436 3460 ? S 06:33 0:03 \_ /usr/bin/python2 /usr/local/cpanel/3rdparty/mailman/bin/qrunner --runner=NewsRunner:0:1 -s mailman 957 0.0 0.2 231752 8788 ? S 06:33 0:03 \_ /usr/bin/python2 /usr/local/cpanel/3rdparty/mailman/bin/qrunner --runner=OutgoingRunner:0:1 -s mailman 958 0.0 0.1 231376 7356 ? S 06:33 0:03 \_ /usr/bin/python2 /usr/local/cpanel/3rdparty/mailman/bin/qrunner --runner=VirginRunner:0:1 -s mailman 960 0.0 0.0 231376 3456 ? S 06:33 0:00 \_ /usr/bin/python2 /usr/local/cpanel/3rdparty/mailman/bin/qrunner --runner=RetryRunner:0:1 -s
The only mailman related change I see in the changelogs is here0
Please sign in to leave a comment.
Comments
28 comments