Wednesday, April 23, 2014

Gmail messages labeled as sent 'via eigbox.net'

At work I had a user who suddenly started having all her outbound Gmail messages labeled as being sent 'via eigbox.net'. My thoughts immediately jumped to virus or malware. A google search of 'via eigbox.net' returned a bunch forum posts where people were having the exact same problem but I didn't find any info on what could be causing this to happen. The next thing I did was try and find info about the domain name eigbox.net. The whois information showed the owner of the domain name is a company called Endurance International Group. They are the parent company of several different hosting providers including HostGator. The domain eigbox.net doesn't have a website but it appeared the domain is used for a hosted e-mail service. At this point I couldn't rule out a virus but there wasn't anything necessarily suspicious about eigbox.net.
Screenshot showing how messages appeared to recipients.
This person primarily used the native Mac Mail application so the next thing I tested was sending a test message from the Mail application and another test message using the Gmail web interface. I examined the message headers in both messages using the 'Show Original' option in Gmail.
Examination of the headers showed that messages sent from the Mac Mail app were definitely being routed through smtp servers at eigbox.net. Messages sent through the Gmail web interface stayed within Google's network. This information let me focus on the Mail app as the source of the problem. I started combing through the settings in Mail.app. I discovered the user had two e-mail accounts configured. One personal account and another for the company Gmail. Under the Gmail settings (Mail > Preferences > Accounts) I noticed the Gmail smtp server said 'Offline' and the check box labeled 'Use only this server' was not checked.


At this point I audibly exclaimed "Aha!".  What I realized is going on is outbound Gmail messages can't reach Google's SMTP server for some reason and Mail.app is failing back to the SMTP server for the the user's personal e-mail account. Surprisingly the e-mail servers for the personal account allows sending of e-mail with any domain in the from address. Checking the 'Use only this server' box and saving the setting causes mail to get stuck in the outbox. In the end the reason the Gmail SMTP server was offline was because the user changed Gmail passwords. Having 'Use only this server' unchecked allowed Mail.app to seek out another SMTP server. It appears Mac Mail stores the IMAP and SMTP passwords separately. When she changed her Gmail password she updated the IMAP password which allowed her to continue to receive mail but it wasn't very obvious that the SMTP password also needed to be changed. 

To change the SMTP password go to Mail > Preferences > Accounts. Click on the 'Outgoing Mail Server (SMTP)' drop down and select 'Edit SMTP Server List...'

Select 'Edit SMTP Server List...' from the drop down.

Click on the 'Advanced' button and enter the password for the SMTP server.
The user's personal e-mail account is hosted by a company called iPage which does web page and e-mail hosting. iPage uses the eigbox.net domain for it's e-mail. iPage is also part of Endurance International Group. Mystery solved.







9 comments:

  1. Thank you Matt, the via eigbox.net has been concerning me as well but as it was from a known source and email thread was not concerned. Only appeared when they responded from their iPhone

    An easy trap for small businesses relying on mutiple service providers.

    ReplyDelete
  2. What do I do with an email that I received in my Google mailbox that has the "via eigbox.net" following the name of the sender, which is in my contacts?
    The major issue here is that the "sender" is one of my other Gmail accounts! I didn't send an email to myself and a check of the SENT folder for the "sender" email does not show any email going out!
    It looks like someone using "eigbox.net" spoofed one of my email accounts to send a message to another one of my email accounts!
    Should I be concerned? It doesn't appear as though either of my email accounts were comprimised.

    ReplyDelete
    Replies
    1. Unfortunately there isn't much you can do about people sending e-mail with a spoofed from address. Usually spam filters flag those type of messages if they come from a domain that does match the spoofed from address domain.

      Delete
  3. How do you check these setting when the sent email was through an outlook account sent to a gmail account?

    ReplyDelete
  4. If people would stop using legacy email clients like Mac Mail and Outlook, and would start using a web client like Google Apps for Work, we would all have far less problems.

    ReplyDelete
  5. If Google Apps for Work were half as good as Outlook, we business would start using them. If they offered an Exchange replacement, we'd jump at the option. If they worked with AD, or better gave us an option to replace AD, we'd love that too...but the world isn't that simple. Until Google decides to get serious about enterprise, Outlook/Exchange is king. Period.

    ReplyDelete
    Replies
    1. I would recommend Kerio Connect, with their beautiful Outlook offline connector, Check it out and give it a try, It works like charm for me.

      Delete
    2. Absolutely correct. Outlook + Exchange is simply more functional. And on OS X Mac mail is in many ways simply nicer to use that any web interface. As an IT person I see the attraction of pushing folks to pure web mail, but as a business person I see what a terrible idea that would be for some, perhaps most of my business environment users.

      Delete

Please note all comments are moderated by me before they appear on the site. It may take a day or so for me to get to them. Thanks for your feedback.