SPAMAssassin files in tmp cause lfd Suspicious File Alerts to be sent continuously. This started happening in 2024 and is due to SPAMAssassin creating a lot of files in the format of /tmp/.spamassassinXXXXXX
There is a thread on cPanel support regarding this: https://support.cpanel.net/hc/en-us/community/posts/25862336548503-Suspicious-tmp-Spam-Assassin-Directories-Files
If this is an issue for you, you will need to open the file at /etc/csf/csf.fignore and add the following:
/tmp/.spamassassin*
That will stop those files from triggering alerts in the future.