thanks sundialsvcs! yes its like a thrust and hopefully i can go through it well
still need your help or anybody who willing.. have few more questions
1) with ps -a | less command i get this :
PID TTY TIME CMD
4041 pts/0 00:00:00 su
4042 pts/0 00:00:00 bash
4160 pts/0 00:00:00 ps
4161 pts/0 00:00:00 less
so i think shuld be clear rite?
2) then with top command i can see below (capturing the first 4)
Tasks: 98 total, 1 running, 97 sleeping, 0 stopped, 0 zombie
Cpu(s): 0.3% us, 0.8% sy, 0.0% ni, 96.8% id, 2.0% wa, 0.0% hi, 0.0% si
Mem: 514572k total, 209948k used, 304624k free, 44492k buffers
Swap: 2096472k total, 0k used, 2096472k free, 60548k cached
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
3020 qmails 16 0 2028 352 272 S 1.0 0.1 0:05.87 qmail-send
3031 qmaill 16 0 2236 328 264 S 0.7 0.1 0:04.40 multilog
4178 root 16 0 3736 904 728 R 0.7 0.2 0:00.04 top
2674 mysql 16 0 31240 5544 2144 S 0.3 1.1 0:00.23 mysqld
what concern me is that the qmailsend and miltulog keep popping up after every 10-20 seconds, does it mean the server keep sending email out every 10-20 seconds?
3) about the stsrem log, i checked in /var/log folder there are many files, any suggestion which 1 shuld i check? below is what i can see
[root@mail log]# ls -a
. cups messages.2 rpmpkgs.3 squid
.. dmesg messages.3 rpmpkgs.4 up2date
acpid exim messages.4 samba up2date.1
boot.log gdm mysqld.log scrollkeeper.log up2date.2
boot.log.1 httpd mysqld.log.1 secure up2date.3
boot.log.2 lastlog mysqld.log.2 secure.1 up2date.4
boot.log.3 mail mysqld.log.3 secure.2 vbox
boot.log.4 maillog mysqld.log.4 secure.3 wtmp
clamav maillog.1 ppp secure.4 wtmp.1
cron maillog.2 prelink.log spooler xferlog
cron.1 maillog.3 qmail spooler.1 Xorg.0.log
cron.2 maillog.4 rpmpkgs spooler.2 Xorg.0.log.old
cron.3 messages rpmpkgs.1 spooler.3 yum.log
cron.4 messages.1 rpmpkgs.2 spooler.4
4) not quiet understand what u mean by "then the person probably has a crontab ("cron" as in Chronos .. the god of Time) that's firing them off." do you mean i should check for the cron files in the log folder?
5) i checked in sshd_conf there are two users allowed to connect via ssh => ess and sz , is it ok if i remove them or does these 2 users are actually a program required to run the mail?
appreciate ur feedback! or anybody!