Wednesday, April 23, 2014

Gmail messages labeled as sent 'via eigbox.net'

At work I had a user who suddenly started having all her outbound Gmail messages labeled as being sent 'via eigbox.net'. My thoughts immediately jumped to virus or malware. A google search of 'via eigbox.net' returned a bunch forum posts where people were having the exact same problem but I didn't find any info on what could be causing this to happen. The next thing I did was try and find info about the domain name eigbox.net. The whois information showed the owner of the domain name is a company called Endurance International Group. They are the parent company of several different hosting providers including HostGator. The domain eigbox.net doesn't have a website but it appeared the domain is used for a hosted e-mail service. At this point I couldn't rule out a virus but there wasn't anything necessarily suspicious about eigbox.net.
Screenshot showing how messages appeared to recipients.
This person primarily used the native Mac Mail application so the next thing I tested was sending a test message from the Mail application and another test message using the Gmail web interface. I examined the message headers in both messages using the 'Show Original' option in Gmail.
Examination of the headers showed that messages sent from the Mac Mail app were definitely being routed through smtp servers at eigbox.net. Messages sent through the Gmail web interface stayed within Google's network. This information let me focus on the Mail app as the source of the problem. I started combing through the settings in Mail.app. I discovered the user had two e-mail accounts configured. One personal account and another for the company Gmail. Under the Gmail settings (Mail > Preferences > Accounts) I noticed the Gmail smtp server said 'Offline' and the check box labeled 'Use only this server' was not checked.


At this point I audibly exclaimed "Aha!".  What I realized is going on is outbound Gmail messages can't reach Google's SMTP server for some reason and Mail.app is failing back to the SMTP server for the the user's personal e-mail account. Surprisingly the e-mail servers for the personal account allows sending of e-mail with any domain in the from address. Checking the 'Use only this server' box and saving the setting causes mail to get stuck in the outbox. In the end the reason the Gmail SMTP server was offline was because the user changed Gmail passwords. Having 'Use only this server' unchecked allowed Mail.app to seek out another SMTP server. It appears Mac Mail stores the IMAP and SMTP passwords separately. When she changed her Gmail password she updated the IMAP password which allowed her to continue to receive mail but it wasn't very obvious that the SMTP password also needed to be changed. 

To change the SMTP password go to Mail > Preferences > Accounts. Click on the 'Outgoing Mail Server (SMTP)' drop down and select 'Edit SMTP Server List...'

Select 'Edit SMTP Server List...' from the drop down.

Click on the 'Advanced' button and enter the password for the SMTP server.
The user's personal e-mail account is hosted by a company called iPage which does web page and e-mail hosting. iPage uses the eigbox.net domain for it's e-mail. iPage is also part of Endurance International Group. Mystery solved.