[SOLVED] CSF, Excessive resource usage: mail@domain.com

7 posts / 0 new
Last post
#1 Mon, 11/12/2018 - 10:32

[SOLVED] CSF, Excessive resource usage: mail@domain.com

Hi, I had a look around in CSF forum, but think this might be Virtualmin related?
I am getting emails that one of my mailboxes is running a very long time somehow, does anyone have an idea why and how to add it in the csf.pignore? I have a few mailboxes, but it seems only related behaviour to this one, or perhaps only showing this one?

Account: mail@domain.com
Resource:     Process Time
Exceeded:     26133 > 1800 (seconds)
Executable:   /usr/bin/perl
Command Line: spamd child
PID:          6160 (Parent PID:6156)
Killed:       No

Another email:
Acount: mail@domain.com
Uptime:  26133 seconds
Command Line (often faked in exploits):
spamd child
Network connections by the process (if any):
tcp: ->
udp: ->
Files open by the process (if any):

Would it be something like this:

cmd:spamd child

Sorry, just not sure which option is the best?
Any help much appreciated

Mon, 11/12/2018 - 13:03


It sounds like it's referring to the SpamAssassin child processes. It's normal for those to run, SpamAssassin keeps several running at all times, similar to how Apache has various child processes.

It's likely safe to ignore unless you're experiencing a problem of some sort.

As far as how to configure CSF to ignore those -- that's unfortunately not something I'm familiar with, I haven't used CSF in the past. If you aren't seeing that in the CSF docs and aren't getting help in the CSF community, there are folks who use that here, hopefully someone with some CSF experience can share how they'd go about setting that up to ignore those.


Mon, 11/12/2018 - 14:50

Hi. You could put in:


into /etc/csf/csf.pignore, but that technically will make anything running with the /usr/bin/perl process be ignored.

I would go further and do a:

ps aux|grep spamd

to see what username spamd is running as, and then do a:


That would target the spamd process in particular and leave anything using perl to still be monitored.

Hopefully spamd doesn't run as root, otherwise you'll just have to use the exe:/usr/bin/perl.


Mon, 11/12/2018 - 15:05

Thanks both
I got this output from your command

ps aux|grep spamd
root      3142  0.0  0.0 112704   964 pts/0    R+   21:02   0:00 grep --color=auto spamd
root      6156  0.0  1.6 278420 65108 ?        Ss   06:02   0:12 /usr/bin/spamd --pidfile /var/run/spamd.pid -d -c -m5 -H
root      6160  0.0  2.2 300140 86612 ?        S    06:02   0:49 spamd child
root      6161  0.0  1.7 281168 67124 ?        S    06:02   0:01 spamd child

Perhaps I can find more answers, like you I am not very font to ignore perl.

Mon, 11/12/2018 - 21:01


Yeah it does indeed run as root.

I see the folks over at DirectAdmin have discussed this one, I see a post here from a few years ago detailing how they added SpamAssassin to the CSF ignore file... would this here do what you're after:


Tue, 11/13/2018 - 01:21

@andreycheck Thanks a lot, I am testing it and will put outcome here later if it is working fine for me.

Wed, 11/14/2018 - 05:44

It has been running fine for a few days, this is what I have now in my csf.pignore.

# ClamAV
cmd:spamd child
Topic locked