Unable to send email with Interworx Mailbox

Currently I’m using Webmail Roundcube for my website mail service. Everything works fine during last few months. but now I’m unable to send messages. Receiving message was fine,

Here’s the error display whenever I try to send a message to some mails:

I have asked this to namecheap which is my DNS provider. This is what their technician inform me:

In this case it is evident that the server is sending out massive amounts of spam.

Our filtering system logged more than 1.2 million (!) attempted sendouts within the last day.

Since the server is using a User-responsible management plan and is also using Interworx software, we cannot assist in mitigating the issue, to our sincere regret.

They mention like there’s huge amount of sendout, I would like to investigate the sendout and stop it. However, I do not know how to do it… since Namecheap unable to support, so I was wondering if I can ask help at the forum here…

Many thanks for your time and compasion.

Hi

Welcome to IW forums.

Firstly check your mail queue - nodeworx system services mail mail queue

How many is shown

If plenty and spam - stop the outbound send service and fully delete all email in queue but first look at one and see which site is sending it

Once you know then disable the siteworx account immediately and contact client

Also check your send logs - server settings logs mail send

It maybe also that no siteworx user is sending and your infected so none may show for above

First block outbound port 25 and then run malware and virus check

Many thanks

John

Hello–

Here is some information on how to identify what account may be sending spam, based on the information in the mail queue: How to: Identify and Remove Spam — InterWorx documentation

Note–if the UID is 108, that means it is going through the vpopmail service, and the messages were sent from a customer’s local mail client (Outlook, Thunderbird, etc). Unfortunately, that may make it impossible to identify the sender, as that means the customer’s local box is compromised, not the account. You should let your customers know to run malware scanners on their computers, as well as make sure their passwords are secure, and have them change if needed.

Thanks,
-Jenna
Friendly Neighborhood InterWorx Support Manager

Hello John and Jenna,

My sincerely apologies for the long delay, but I was wondering where can I check my nodeworx the mail queue and logs?

Hi

You can login to nodeworx and mail queue is

Nodeworx system services mail mail queue

Logs

Nodeworx settings logs in drop down box select mail logs in drop down box select send

you can then download the send log and open in a text editor or view send log as above choose 4000 lines and newest at top or whatever you want to set it too

Many thanks

John

Hello,

Yes I have able to check the mail log. but it provides nothing here…

So does this mean my mail queue is safe?

Hi

It is completely empty and your just showing mail log

What does send show

I think an earlier post of your stated your server has been stopped from sending and I would think receiving email

This would explain why your mail log is empty I think

You will need to download the mail log from when you were first notified and check them.

Please be aware the logs do rotate on a 7 day rolling period

Have you installed and run maldet to see if it finds anything also probably worth install a rootkit checker

Many thanks

John

Uhm, how do Install the maldet again? It mentions I have to use this code wget http://www.rfxn.com/downloads/maldetect-current.tar.gz to install the maldet via SSH or terminal. but the problem is where can I access the SSH and terminal?

Hey I notice this at my System health, its regarding about my mail queue

And most of the message spam this:

MESSAGE NUMBER 152210:

Received: (qmail 22808 invoked by uid 108); 20 Jun 2023 22:38:14 +0000
Received: from unknown (HELO server.gosys.eu) (127.0.0.1)
by server2.saysheji.art with SMTP; 20 Jun 2023 22:38:14 +0000
Date: Tue, 20 Jun 2023 22:38:14 +0000
Content-Transfer-Encoding: 7bit
Message-ID: 1642627d39506e723d2c2f2130313e363e3d393d2a393c3f3d3278706767777d777a686a7b6e6e795e68414f43474b4a08415a.27791326@zz169.net
Representatives-Violations-Foes: 9C91C27FA
MIME-Version: 1.0
Subject: Complete your debt payment now
To: hautchampsaurd@wanadoo.fr
From: eerfcampshedding@zz169.net
Content-Type: text/html; charset=UTF-8
Axons-Rambling-Uncovered: 8876C1AC

Hi!

I regret to inform you about some sad news for you.

Approximately a month or two ago I have succeeded to gain a total access to all your devices utilized for browsing internet.
Moving forward, I have started observing your internet activities on continuous basis.


Go ahead and take a look at the sequence of events provided below for your reference:

Initially I bought an exclusive access from hackers to a long list of email accounts (in today’s world, that is really a common thing, which can arranged via internet).

Evidently, it wasn’t hard for me to proceed with logging in your email account (hautchampsaurd@wanadoo.fr).

Within the same week, I moved on with installing a Trojan virus in Operating Systems for all devices that you use to login to email.
Frankly speaking, it wasn’t a challenging task for me at all (since you were kind enough to click some of the links in your inbox emails before).
Yeah, geniuses are among us.


Because of this Trojan I am able to gain access to entire set of controllers in devices (e.g., your video camera, keyboard, microphone and others).
As result, I effortlessly downloaded all data, as well as photos, web browsing history and other types of data to my servers.

Moreover, I have access to all social networks accounts that you regularly use, including emails, including chat history, messengers, contacts list etc.
My unique virus is incessantly refreshing its signatures (due to control by a driver), and hence remains undetected by any type of antiviruses.


Hence, I guess by now you can already see the reason why I always remained undetected until this very letter…


During the process of compilation of all the materials associated with you,
I also noticed that you are a huge supporter and regular user of websites hosting nasty adult content.

Turns out to be, you really love visiting porn websites, as well as watching exciting videos and enduring unforgettable pleasures.
As a matter of fact, I was not able to withstand the temptation, but to record certain nasty solo action with you in main role,
and later produced a few videos exposing your masturbation and cumming scenes.


If until now you don’t believe me, all I need is one-two mouse clicks to make all those videos with everyone you know,

including your friends, colleagues, relatives and others.
Moreover, I am able to upload all that video content online for everyone to see.

I sincerely think, you certainly would not wish such incidents to take place, in view of the lustful things demonstrated in your commonly watched videos,

(you absolutely know what I mean by that) it will cause a huge adversity for you.

There is still a solution to this matter, and here is what you need to do:
You make a transaction of 660 USD to my account (an equivalent in bitcoins, which recorded depending on the exchange rate at the date of funds transfer),
hence upon receiving the transfer, I will immediately get rid of all those lustful videos without delay.

After that we can make it look like there was nothing happening beforehand.
Additionally, I can confirm that all the Trojan software is going to be disabled and erased from all devices that you use. You have nothing to worry about,
because I keep my word at all times.


That is indeed a beneficial bargain that comes with a relatively reduced price,

taking into consideration that your profile and traffic were under close monitoring during a long time frame.
If you are still unclear regarding how to buy and perform transactions with bitcoins - everything is available online.


Below is my bitcoin wallet for your further reference: 1PMP68a3iw2X4Ruq2XoENc1jNNaGVELCh6


All you have is 48 hours and the countdown begins once this email is opened (in other words 2 days).

The following list includes things you should remember and avoid doing:

----> qmqtool: remainder of message has been suppressed

That’s actually pretty creepy… but Im not sure if its true all the device is being hacked. Is there any advice for me? Is changing the server password is enough?

And I dont remember have any client with email ([hautchampsaurd@wanadoo.fr]) I supposed this is just a spam,

It looks like in my guess that one of my site called Kareducation.com is the one getting the spams, because there were just many mails to support@kareducation.com.

And yes as Jenna says the UID is 108, is there any other way then disable the siteworx account? or I can just disable and recreate the new one?

Hi

That does look like it’s your client email client and not your server

However I would still check your server for anything bad and rootkits

The quickest and easiest is to disable the siteworx account and speak with client

You could disable or change the offending email account though but until your client cleans their computer or computers, it would keep happening and you would be in a worse state then now as your server IP and reputation would need cleaning as well. I’m thinking you’ve been added to blacklists due to spam sending

Change of passwords is always good

The content of the email is common some make me smile as the content state they’ve taken a copy of a database on a site which does not have a database at all

I once stopped dead an intrusion on a clients server and reviewed what had been uploaded to their server. One of the files was a text file labeled 850k and it contained username and passwords I guess of 850000 users and randomly checked a handful and yes all allowed a correct login

It’s a bad world

Many thanks

John

Holy…

What else that I need to check at my server to keep it safer? and yes, I have spoken with the client and agreed to disabled it right away.

What does the blacklist mean? and by who?

What do you mean by cleaning my IP address? change the IP address?

Hi

Blacklists are used by many in all areas

If you’ve been blacklist then getting email sent to other email servers may not work as most mail servers first check blacklists at first point of connection

You would need to check on blacklists to see if your server ip address is listed and if so, request blacklist removal but some blacklists do not allow removal and favour a time release so if your server do not send spam say in 1 month it is removed

The same can apply for sending server reputation

Many thanks

John

Hello,

I have checked my server IP address and any of domains are not in the blacklist. But after I try to test it again, it seems its still unable to sends.

Here’s what display when I try to send a mail:

Hi. This is the qmail-send program at server2.saysheji.art.
I'm afraid I wasn't able to deliver your message to the following addresses.
This is a permanent error; I've given up. Sorry it didn't work out.

<[edbertjonnathan@gmail.com](mailto:edbertjonnathan@gmail.com)>:
142.251.2.26 failed after I sent the message.
Remote host said: 550 5.7.1 [IR] Our system has detected an excessively high number of invalid recipients originating from your account. Contact your service provider for support

--- Below this line is a copy of the message.

Return-Path: <[edbert@thaigood4u.com](mailto:edbert@thaigood4u.com)>
Received: (qmail 5194 invoked by uid 108); 27 Jun 2023 10:47:20 +0000
Received: from unknown (HELO server2.saysheji.art) (127.0.0.1)
by server2.saysheji.art with SMTP; 27 Jun 2023 10:47:20 +0000
Received: from 162.0.216.162 ([::1])
by server2.saysheji.art with ESMTPA
id 55LMLzi+mmRHFAAAvsNdVg
(envelope-from <[edbert@thaigood4u.com](mailto:edbert@thaigood4u.com)>)
for <[edbertjonnathan@gmail.com](mailto:edbertjonnathan@gmail.com)>; Tue, 27 Jun 2023 10:47:20 +0000
MIME-Version: 1.0
Date: Tue, 27 Jun 2023 06:47:20 -0400
From: [edbert@thaigood4u.com](mailto:edbert@thaigood4u.com)
To: Edbertjonnathan <[edbertjonnathan@gmail.com](mailto:edbertjonnathan@gmail.com)>
Subject: Testing mail after the spams
Message-ID: <[bcfd4e99cf360e5a05e0507d26e83928@thaigood4u.com](mailto:bcfd4e99cf360e5a05e0507d26e83928@thaigood4u.com)>
X-Sender: [edbert@thaigood4u.com](mailto:edbert@thaigood4u.com)
Content-Type: multipart/alternative;
boundary="=_2123598ef83e76803ab56197bc6436d5"

--=_2123598ef83e76803ab56197bc6436d5
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset=US-ASCII;
format=flowed

Testing succesfully after empty the mail queue
--=_2123598ef83e76803ab56197bc6436d5
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html; charset=UTF-8

<html><head><meta http-equiv=3D"Content-Type" content=3D"text/html; charset=
=3DUTF-8" /></head><body style=3D'font-size: 10pt; font-family: Verdana,Gen=
eva,sans-serif'>
<p>Testing succesfully after empty the mail queue</p>

</body></html>

--=_2123598ef83e76803ab56197bc6436d5--

Hi

That’s a message from gmail telling you your server has exceeded gmail allowed number of connections within a given time period

I would test gmail after 8 hours or maybe tomorrow and it most probably will go through

Interworx sending is working

Many thanks

John

Hello–

You may want to reach out to a sysadmin service like Bob Cares: https://bobcares.com/

Or a security company like Rack911: https://www.rack911.com/

They would be able to provide insight on how to harden the server to best prevent spam.

Namecheap may also have some insight since it is a server that they provided to you. The may have some kind of security or monitoring add-ons or something of that nature.

However in this case, there isn’t much you can do, since your server is not compromised, your customer’s local computer is. So outside of telling your customers to run virus scanners on their computers and change their passwords, unfortunately, it is kind of out of your hands.

Regarding your How-To questions, all of our documentation can be found at https://docs.interworx.com (which redirect to the appendix base url in the spam prevention doc I provided, before). That is where you can find answers to most how-to questions, so you don’t have to wait for forum responses.

Thanks,
-Jenna

Hello I able to send the message to gmail now. But it still display failure notice at my roundcube webmail…

Thanks for the offer Jenna, but for the documentation it mentions Privacy Error. is there some maintance happening at Interworx?

Hello–

No, no maintenance. It looks like the SSL cert expired. Thanks for letting us know. This is the exact same site: InterWorx — InterWorx documentation (docs.interworx.com is just easier to remember than appendix.interworx.com :slight_smile: )

Thanks,
-Jenna

1 Like