Increase in lfd alerts

[omarfilip]

I've been getting an increased number of lfd alerts from my dedicated server for the past 10-15 days.

They are mostly this:

Code:

lfd: Excessive resource usage: Account A (4039)
Time:         Mon Jun  8 08:25:24 2009 -0500
Account:      Account A
Resource:     Process Time
Exceeded:     10821 > 1800 (seconds)
Executable:   /usr/bin/perl
Command Line: spamd child
PID:          16580
Killed:       Yes

and this:

Code:

lfd: Suspicious process running under user Account A
PID:     5598
Account: Account A
Uptime:  6131 seconds

Executable:
/usr/bin/perl

Command Line (often faked in exploits):
spamd child

Network connections by the process (if any):
tcp: cPanel® -> cPanel®

tcp: cPanel® -> cPanel®
udp: cPanel® -> 63.247.77.198:53

Files open by the process (if any):
/dev/null
/dev/null
/dev/null
/usr/bin/spamd
/usr/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/Plugin/VBounce.pm

but over the past two days a new alert:

Code:

lfd: LOCALRELAY alert for account Account B
Time:  Mon Jun  8 09:28:07 2009 -0500
Type:  LOCALRELAY, Local Account - Account B
Count: 103 emails relayed
Blocked: No

Sample of the first 10 emails:
2009-06-08 09:28:03 1MDfp.... <snip>

The emails sampled in the LOCALRELAY alert are legitimate.

Account A and B above are real accounts, but renamed for posting here.

Is anyone else getting this increase in alerts or is it just my server and what should I do about it?