Skip to main content

Suspicious /tmp Spam Assassin Directories/Files

Comments

26 comments

  • cPRex Jurassic Moderator

    Hey there!  Those files in /tmp are normal and expected if you're using SpamAssassin on your machine.  What specific tool is flagging them as being suspicious?

     

    1
  • Unnamed User

    I’m getting the same reports of a suspicious file located in the tmp directory. They are being flagged by LFD in CSF

    0
  • Jim McLaughlin

    Yes, I should have noted that these folders and files are flagged by LFD, as well.

    1
  • baronn

    Yes, having the same issue on multiple servers which have just recently upgraded to latest cpanel/whm version 122.0.5

    I know you guys dont support CSF (LFD) but considering this issue has just popped up AFTER the upgrade can cPRex provide a fix to stop emails (recent count 148 per server!!!) for suspicious files. rather than adding in an ignore rule how can we resolve (delete?) those files.

    Of note, all the servers have spamassasin disabled BUT we are still getting the emails!

    0
  • WWWARTSteve

    Yes, Several servers that have updated to version 122.0.5

    0
  • baronn

    cPRex can we kindly get an update and fix to solve this issue please?

    0
  • cPRex Jurassic Moderator

    If the emails are from CSF/LFD, there isn't anything I can do on my end for this issue.  That's something you'd need to take up with their team at https://configserver.com/technical-support/ since it sounds like they need to adjust something on their end.

    0
  • baronn

    cPRex but this has happend AFTER an upgrade to the latest version of cpanel/whm. Appreciate you canot offer support for the CSF but this is happening due to recent upgrade and the way files are now being stored by cpanel similar to this: https://support.cpanel.net/hc/en-us/community/posts/19133619345431--CPANEL-23314-CSF-Suspicious-File-Alerts-tmp-pma-template-compiles-after-V76-Update SURELY there must be something, some information, some fixes that can solve this? CSF has worked(and is working) flawlessly for many years without issues...

    OR how can we revert the atest update???

    0
  • cPRex Jurassic Moderator

    There is never a supported way to downgrade cPanel.

    It's possible there is a change on our side with the latest update, but we don't coordinate with third-party providers in any way before the update is released.  If there is a change, it would be up to them to do that testing and resolve the issue.

    This is also the only report of this behavior I've seen.  How old is the SpamAssassin file in /tmp on your server?

    0
  • baronn

    cPRex ah i see, i thought there may have been someway to downgrade

    Definitly due to a change on your side specifically to do with v 122.0.5 update. Yu may not have support requests for this but as you can see other users in this thread have reported same issue (any one else kind enough to pitch in???)

    How can i see how old the file is? I only get this via email:

    File:   /tmp/.spamassassin3950SumxCatmp
    Reason: Suspicious directory
    Owner:  nobody:nobody (99:99)

    Going to the temp folder I cannot see that directory at all...

    Also as previously stated, spamasassin is diabled via tweak settings...

    Any help would be appreciated as the amount of emails we are getting due to this is enormous!

    Thank you.

    0
  • Unnamed User

    Several of us have confirmed above that we are also affected by this issue after updating to the latest cPanel version, so surely they would be considered additional reports. This doesn’t seem like a great approach to a problem being experienced by paying customers, some running multiple licenses. If I handled my customers like this, I wouldn’t have any customers.

    0
  • cPRex Jurassic Moderator

    baronn - you would have to check the timestamp of the file on the command line.

    If anyone can submit a ticket where this is happening we'd be happy to check things on our end, but ultimately it may not be something we can resolve.

    0
  • baronn

    cPRex so the dates I have found are: 22/08/24 13:07:12 which is around the time when the upgrade was done (manually).

    Is it safe to delete those files inthe temp folder? that relate to spamassasin?

    Will they come back if deleted?

    FYI, there are othe folders with the same time stamp (give or take a few seconds) like: .Test-unix, .x11-unix,.XIM-unix... can those be deleted too?

    In general whats the best practice when it comes to having a lean and clean systme? specifically can we delete eveyting/anything in that temp folder? if so whats the best  way you would advise please?

    0
  • cPRex Jurassic Moderator

    baronn - if you aren't using SpamAssassin on your server, it's fine to remove those files.  After all, they are temporary data.

    You can delete most everything in /tmp *except* the mysql.sock file link and any systemd directories you see.

    There are automated ways to clean /tmp that you can read about here: https://support.cpanel.net/hc/en-us/articles/360052677654-How-to-clean-your-tmp-directory-with-tmpwatch

    0
  • baronn

    cPRex thankyou kindly for the info and link. Will go ahead and do that. FYI. Deleted the spamasassin folder and emails have now stopped. No impact on functionality from what I can see... so far.

    0
  • cPRex Jurassic Moderator

    You're very welcome!

    0
  • digitaliway

    I am also receiving two of these notices per hour and would appreciate any assistance on how to resolve this?

    Time: Tue Sep 10 09:05:41 2024 -0400
    File: /tmp/.spamassassin17902123bgypqtmp
    Reason: Suspicious directory
    Owner: nobody:nobody (65534:65534)
    Action: No action taken


    Time: Tue Sep 10 09:05:41 2024 -0400
    File: /tmp/.spamassassin17902123bgypqtmp/.spamassassin
    Reason: Suspicious directory
    Owner: nobody:nobody (65534:65534)
    Action: No action taken

    0
  • cPRex Jurassic Moderator

    digitaliway - who is the sender and subject line of those messages?

    0
  • digitaliway

    these notifications are coming from CSF and started only after the 122.0.5 upgrade.

    Subject: lfd on myservername.net: Suspicious File Alert
    From: <root@myservername.net>

    0
  • cPRex Jurassic Moderator

    There isn't anything I can do on my side for CSF alerts since we don't have any control over that product.

    0
  • digitaliway

    my concern is not only the alert but why the alert fired only after upgrade.  if the file or folder is indeed Suspicious then I would like to know if the server is compromised due to the upgrade to 122.0.5.  the release notes on the cpanel website do show that the upgrade included spamassassin updates which I am hoping did not include corrupt script?  will there be future updates in the near future for spamassassin to correct this?

    0
  • cPRex Jurassic Moderator

    The more likely explanation is the file is just fine and the CSF tools just aren't updated. 

    0
  • Jim McLaughlin

    I don't usually update CSF by hand. Could you please provide the commands for that? This is still quite annoying.

    0
  • cPRex Jurassic Moderator

    I'm not able to provide any support related to the CSF tools since that isn't part of the cPanel software.  If that software is causing difficulty you should report the issue to https://configserver.com/technical-support/

    0
  • clopezi

    For now a hotfix it's to add the directory to csf.fignore:

    /tmp/.spamassassin*

    And that's it.

    0
  • Jim McLaughlin

    I noticed an update to CSF today to version 14.22.  Does anyone know if it addressed this issue?

    14.22 - Removed session IP match check from DA login
    
            Added example spamassassin temp file regex to csf.fignore for
    	new installations
    0

Please sign in to leave a comment.