Suspicious process running under user - warnings found

[cPanelLauren]

These are notifications facilitated by CSF in regards to the Perl executable running spamd which is Spamassassin. In this instance no, it does not appear to be malicious and generally speaking notifications in regard to spamd can be ignored.

 

[xanadu]

We are getting at least ten emails a day relating to 'spamd child' on a newly commisioned VPS with about 15 individual domains. The user name also changes in each message. is there any way of stopping them or would that be risky?

Hoping you can help.

 

[cPRex]

@xanadu - could you provide me with an example of one of these messages you're seeing? Just make sure to remove any public domains or IP addresses from your post for security.

 

[xanadu]

Hi cPRex.
Please see attached Example_1 which is followed immediately by Example_1A. Also attached is Example_2 where there is an additional entry under 'network connections' compared to Example_1. Example_2 is also follwed by a message similar to Example_1A.

They appear randomly for random users and can occur minutes apart and up to 1 hour apart.

Hope you can help.

Cheers,
Xanadu
PS: I will attach Example_2 in a following message.

 

[xanadu]

Example_2 attached

 

[ffeingol]

In /etc/csf/csf.pignore look for this line:

#cmd:spamd child

Uncomment it (remove the #) and then restart csf/ldf:

csf -ra

That tells LFD to ignore the process "spamd child" and you'll stop getting the emails.

 

[cPRex]

As @ffeingol mentioned, this is from CSF/LFD so you may want to just disable those notifications completely.