@WISTFUL - NEVER NEVER do what you suggested by ignoring users - that command is very dangerous and stops csf from watching those users for any exploits.
exe and pexe should be used. secondly cmd and pcmd.
Example: to stop getting php-fpm alerts for the pool, add this to csf.pignore
pcmd:php-fpm: pool.*
For most qmail alerts:
pexe:/var/qmail/bin/qmail-.*
Also I would raise the memory limit for alerts to 300, even 350 on heavy systems. If you are running a media server or something just add an exclusion to the alert in csf.pignore through the exe: directive.
csf is VERY good firewall, but you have to take time to work through the false positives.
I have other exclusions on kloxo-mr install, but can't remember them all. I know mysql was one and the kloxo.httpd was another - but as you get alerts add them to csf.pignore

Always issue this after changes:
csf -r;service lfd restart
All good

Regards