Suspicious process running under user - warnings found

cPanelLauren

• July 17, 2020 16:06

These are notifications facilitated by CSF in regards to the Perl executable running spamd which is Spamassassin. In this instance no, it does not appear to be malicious and generally speaking notifications in regard to spamd can be ignored.

• 

  xanadu

  • February 12, 2021 22:03

  We are getting at least ten emails a day relating to 'spamd child' on a newly commisioned VPS with about 15 individual domains. The user name also changes in each message. is there any way of stopping them or would that be risky? Hoping you can help.

  0
• 

  cPRex Jurassic Moderator

  • February 19, 2021 19:32

  @xanadu - could you provide me with an example of one of these messages you're seeing? Just make sure to remove any public domains or IP addresses from your post for security.

  0
• 

  xanadu

  • February 19, 2021 21:06

  Hi cPRex. Please see attached Example_1 which is followed immediately by Example_1A. Also attached is Example_2 where there is an additional entry under 'network connections' compared to Example_1. Example_2 is also follwed by a message similar to Example_1A. They appear randomly for random users and can occur minutes apart and up to 1 hour apart. Hope you can help. Cheers, Xanadu PS: I will attach Example_2 in a following message.

  0
• 

  xanadu

  • February 19, 2021 21:07

  Example_2 attached

  0
• 

  ffeingol

  • February 20, 2021 01:26

  In /etc/csf/csf.pignore look for this line: #cmd:spamd child
  Uncomment it (remove the #) and then restart csf/ldf: csf -ra
  That tells LFD to ignore the process "spamd child" and you'll stop getting the emails.

  0
• 

  cPRex Jurassic Moderator

  • February 22, 2021 13:46

  As @ffeingol mentioned, this is from CSF/LFD so you may want to just disable those notifications completely.

  0

Please sign in to leave a comment.