[SOLVED] CSF, Excessive resource usage: mail@domain.com

Hi,
I had a look around in CSF forum, but think this might be Virtualmin related?
I am getting emails that one of my mailboxes is running a very long time somehow, does anyone have an idea why and how to add it in the csf.pignore? I have a few mailboxes, but it seems only related behaviour to this one, or perhaps only showing this one?

Account: mail@domain.com Resource: Process Time Exceeded: 26133 > 1800 (seconds) Executable: /usr/bin/perl Command Line: spamd child PID: 6160 (Parent PID:6156) Killed: No

Another email:
Acount: mail@domain.com
Uptime: 26133 seconds
Executable:
/usr/bin/perl
Command Line (often faked in exploits):
spamd child
Network connections by the process (if any):
tcp: 127.0.0.1:783 -> 127.0.0.1:46930
udp: 127.0.0.1:56272 -> 127.0.0.1:53
Files open by the process (if any):
/dev/null
/dev/null
/dev/null
/usr/bin/spamd

Would it be something like this:

cmd:spamd child
or
exe:/usr/bin/spamd
or
exe:/usr/bin/perl

Sorry, just not sure which option is the best?
Any help much appreciated

Howdy,

It sounds like it’s referring to the SpamAssassin child processes. It’s normal for those to run, SpamAssassin keeps several running at all times, similar to how Apache has various child processes.

It’s likely safe to ignore unless you’re experiencing a problem of some sort.

As far as how to configure CSF to ignore those – that’s unfortunately not something I’m familiar with, I haven’t used CSF in the past. If you aren’t seeing that in the CSF docs and aren’t getting help in the CSF community, there are folks who use that here, hopefully someone with some CSF experience can share how they’d go about setting that up to ignore those.

-Eric

Hi. You could put in:

exe:/usr/bin/perl

into /etc/csf/csf.pignore, but that technically will make anything running with the /usr/bin/perl process be ignored.

I would go further and do a:

ps aux|grep spamd

to see what username spamd is running as, and then do a:

user:whateverspamdusernameis

That would target the spamd process in particular and leave anything using perl to still be monitored.

Hopefully spamd doesn’t run as root, otherwise you’ll just have to use the exe:/usr/bin/perl.

Michael.

Thanks both
I got this output from your command

ps aux|grep spamd
root 3142 0.0 0.0 112704 964 pts/0 R+ 21:02 0:00 grep --color=auto spamd
root 6156 0.0 1.6 278420 65108 ? Ss 06:02 0:12 /usr/bin/spamd --pidfile /var/run/spamd.pid -d -c -m5 -H
root 6160 0.0 2.2 300140 86612 ? S 06:02 0:49 spamd child
root 6161 0.0 1.7 281168 67124 ? S 06:02 0:01 spamd child

Perhaps I can find more answers, like you I am not very font to ignore perl.

Howdy,

Yeah it does indeed run as root.

I see the folks over at DirectAdmin have discussed this one, I see a post here from a few years ago detailing how they added SpamAssassin to the CSF ignore file… would this here do what you’re after:

http://forum.directadmin.com/showthread.php?t=34893&s=09ad6fe07695c76e1e54e44e87eef989&p=238756#post238756

@andreycheck Thanks a lot, I am testing it and will put outcome here later if it is working fine for me.

Feedback
It has been running fine for a few days, this is what I have now in my csf.pignore.

ClamAV

exe:/usr/bin/freshclam
exe:/usr/sbin/clamd
exe:/usr/bin/spamc
exe:/usr/bin/spamd
cmd:spamd child