Suspicious /tmp Spam Assassin Directories/Files
Hi,
Anyone getting suspicious directories and files in /tmp under .spamassassinXXXX names?
Just started after the latest update.
Thanks.
-
Hey there! Those files in /tmp are normal and expected if you're using SpamAssassin on your machine. What specific tool is flagging them as being suspicious?
1 -
I’m getting the same reports of a suspicious file located in the tmp directory. They are being flagged by LFD in CSF
0 -
Yes, I should have noted that these folders and files are flagged by LFD, as well.
1 -
Yes, having the same issue on multiple servers which have just recently upgraded to latest cpanel/whm version 122.0.5
I know you guys dont support CSF (LFD) but considering this issue has just popped up AFTER the upgrade can cPRex provide a fix to stop emails (recent count 148 per server!!!) for suspicious files. rather than adding in an ignore rule how can we resolve (delete?) those files.
Of note, all the servers have spamassasin disabled BUT we are still getting the emails!
0 -
Yes, Several servers that have updated to version 122.0.5
0 -
cPRex can we kindly get an update and fix to solve this issue please?
0 -
If the emails are from CSF/LFD, there isn't anything I can do on my end for this issue. That's something you'd need to take up with their team at https://configserver.com/technical-support/ since it sounds like they need to adjust something on their end.
0 -
cPRex but this has happend AFTER an upgrade to the latest version of cpanel/whm. Appreciate you canot offer support for the CSF but this is happening due to recent upgrade and the way files are now being stored by cpanel similar to this: https://support.cpanel.net/hc/en-us/community/posts/19133619345431--CPANEL-23314-CSF-Suspicious-File-Alerts-tmp-pma-template-compiles-after-V76-Update SURELY there must be something, some information, some fixes that can solve this? CSF has worked(and is working) flawlessly for many years without issues...
OR how can we revert the atest update???
0 -
There is never a supported way to downgrade cPanel.
It's possible there is a change on our side with the latest update, but we don't coordinate with third-party providers in any way before the update is released. If there is a change, it would be up to them to do that testing and resolve the issue.
This is also the only report of this behavior I've seen. How old is the SpamAssassin file in /tmp on your server?
0 -
cPRex ah i see, i thought there may have been someway to downgrade
Definitly due to a change on your side specifically to do with v 122.0.5 update. Yu may not have support requests for this but as you can see other users in this thread have reported same issue (any one else kind enough to pitch in???)
How can i see how old the file is? I only get this via email:
File: /tmp/.spamassassin3950SumxCat
mp
Reason: Suspicious directory
Owner: nobody:nobody (99:99)Going to the temp folder I cannot see that directory at all...
Also as previously stated, spamasassin is diabled via tweak settings...
Any help would be appreciated as the amount of emails we are getting due to this is enormous!
Thank you.
0 -
Several of us have confirmed above that we are also affected by this issue after updating to the latest cPanel version, so surely they would be considered additional reports. This doesn’t seem like a great approach to a problem being experienced by paying customers, some running multiple licenses. If I handled my customers like this, I wouldn’t have any customers.
0 -
baronn - you would have to check the timestamp of the file on the command line.
If anyone can submit a ticket where this is happening we'd be happy to check things on our end, but ultimately it may not be something we can resolve.
0 -
cPRex so the dates I have found are: 22/08/24 13:07:12 which is around the time when the upgrade was done (manually).
Is it safe to delete those files inthe temp folder? that relate to spamassasin?
Will they come back if deleted?
FYI, there are othe folders with the same time stamp (give or take a few seconds) like: .Test-unix, .x11-unix,.XIM-unix... can those be deleted too?
In general whats the best practice when it comes to having a lean and clean systme? specifically can we delete eveyting/anything in that temp folder? if so whats the best way you would advise please?
0 -
baronn - if you aren't using SpamAssassin on your server, it's fine to remove those files. After all, they are temporary data.
You can delete most everything in /tmp *except* the mysql.sock file link and any systemd directories you see.
There are automated ways to clean /tmp that you can read about here: https://support.cpanel.net/hc/en-us/articles/360052677654-How-to-clean-your-tmp-directory-with-tmpwatch
0 -
cPRex thankyou kindly for the info and link. Will go ahead and do that. FYI. Deleted the spamasassin folder and emails have now stopped. No impact on functionality from what I can see... so far.
0 -
You're very welcome!
0 -
I am also receiving two of these notices per hour and would appreciate any assistance on how to resolve this?
Time: Tue Sep 10 09:05:41 2024 -0400
File: /tmp/.spamassassin17902123bgypqtmp
Reason: Suspicious directory
Owner: nobody:nobody (65534:65534)
Action: No action taken
Time: Tue Sep 10 09:05:41 2024 -0400
File: /tmp/.spamassassin17902123bgypqtmp/.spamassassin
Reason: Suspicious directory
Owner: nobody:nobody (65534:65534)
Action: No action taken0 -
digitaliway - who is the sender and subject line of those messages?
0 -
these notifications are coming from CSF and started only after the 122.0.5 upgrade.
Subject: lfd on myservername.net: Suspicious File Alert
From: <root@myservername.net>0 -
There isn't anything I can do on my side for CSF alerts since we don't have any control over that product.
0 -
my concern is not only the alert but why the alert fired only after upgrade. if the file or folder is indeed Suspicious then I would like to know if the server is compromised due to the upgrade to 122.0.5. the release notes on the cpanel website do show that the upgrade included spamassassin updates which I am hoping did not include corrupt script? will there be future updates in the near future for spamassassin to correct this?
0 -
The more likely explanation is the file is just fine and the CSF tools just aren't updated.
0 -
I don't usually update CSF by hand. Could you please provide the commands for that? This is still quite annoying.
0 -
I'm not able to provide any support related to the CSF tools since that isn't part of the cPanel software. If that software is causing difficulty you should report the issue to https://configserver.com/technical-support/
0 -
For now a hotfix it's to add the directory to csf.fignore:
/tmp/.spamassassin*
And that's it.
0 -
I noticed an update to CSF today to version 14.22. Does anyone know if it addressed this issue?
14.22 - Removed session IP match check from DA login Added example spamassassin temp file regex to csf.fignore for new installations
0
Please sign in to leave a comment.
Comments
26 comments