how to find gmail originating ip ?

I am an IT person myself. one of my clients who have a gmail email.
his gmail has been hacked or the password has been guessed.
and an email was sent to the bank pretending being him.

The bank forwarded the email. and we would like to know if it was sent from our office, or was it hacked by an external hacker.

we tried tracing the email, but as expected, Gmail did hide the originating IP.

I had been trying to contact Gmail for the last week for assistance in this regards.
i need the ip of the sender (from my email) or the IP of whoever logged into my account at that specific time.

i understand a court order might be needed, that is no issue, but we need to contact gmail to even send them the court order.

any ideas guys ?
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Dave BaldwinFixer of ProblemsCommented:
Here's the Google Product contact page and it actually has a phone number.
Schuyler DorseyCommented:
View the full message headers of the email. It MIGHT show the IP address the message was sent from.

If it were an on-premise email server, it would for sure show it. I am not 100% sure about gmail with it being a cloud only solution and whether or not the originating IP will only show gmail servers or not.

It's at least a direction to look though.
Schuyler DorseyCommented:
Also once you login to Gmail, click on Details under Account Activity at the bottom right. It lists the IPs which logged into the service under your account.
The Ultimate Tool Kit for Technolgy Solution Provi

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy for valuable how-to assets including sample agreements, checklists, flowcharts, and more!

Da_Ch0senAuthor Commented:
The phone number and the contact page is not much of help. I suited my form a week ago and no reply. And their phone number is 100% useless automation.

I did check the headers of course. The originating ip is the gmail server.

And the account activity only shows the last 10 logins. That is the first thing I looked at. But my client took a whole to contact me and it was too late.

Any other ideas guys ?
btanExec ConsultantCommented:
Should first change the password and change to the 2-step verification system  I.e password and sms code.

check recent activity

can also retry google reporting

It’s worth noting that you usually won’t be able to get the exact location of the actual person who sent the email. For example, if someone in Germany sends you an email using Gmail, the last IP address in the header section will probably be the public IP address assigned to that user from the ISP, which will give you the location of the user ranging from within a mile all the way to the city or region level.

for email header analyser

for impersonation, you can see Google stand
If you believe someone has created a Gmail address in an attempt to impersonate your identity, you may wish to file a report with the Internet Crime Complaint Center (, a partnership between the Federal Bureau of Investigation and the National White Collar Crime Center.

In addition, we recommend contacting your state's Office of Consumer Protection.

Gmail is unable to participate in mediations involving third parties regarding impersonation. To read the Gmail Terms of Use, please visit:
Da_Ch0senAuthor Commented:
Thanks for trying to help. But as mentioned earlier. I am not the attacked. I am the IT security consultant for the attacked person (my client) so I already went through these links you guys keep on sending to me from google website. And I know I have to change the password before another email leaves with a new fraud. Can we move the level of support to a higher level please ?
The originating ip (which what we need) is not in recent activity, and it is not in the header. Gmail hid that  ip from the header.
btanExec ConsultantCommented:
There is no technical way to get the ip-address of someone sending an email via the gmail web interface. Google does not put it into the email headers. And there is no API to query Gmail for it.

There is no X-Originating-IP or any header which gives any sender IP details. As noted, this is no surprise and even then X-* headers are optional headers and not required by the SMTP protocol.

Food for thought - Even if there was sender IP information in the message, it is largely useless. Many users don't have static IP addresses. ISPs assign IP addresses from a pool of available IPs. Many sites use NAT and other mapping techniques so that all hosts on their internal network have non-routable private IP addresses. Users can access gmail from any Internet connected system which has a web browser, such as an internet cafe, public wireless netowrks, etc. Many web connections pass through proxies. From the Gmail perspective, the IP the client is connecting from is the proxy IP, not the IP of the sender's PC (there is X-Forwarded-For if enabled but not default enabled)

If you really need that IP address for valid reasons, you need to go the legal way. And this will involve bringing in some form of government authority - you can't do it on your own.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Da_Ch0senAuthor Commented:
Thanks got all of the above. I am aware of all what is said. And I am also aware that Gmail will not disclose information to me. But I need to know what is the legal way to do it. In order to get the originating IP.
we have a lawyer who can get the court order for that and proceed.
I once the ip is disclosed. We can check with the ISP to see who had that IP at that time. Our main concern is that it is an internal act and the fraud was sent from my clients office.
Disclosing the ip of the sender (from Gmail with a legal act) can identify whether it was one of our employees in our office or not. As we know what was our ip at that moment.
btanExec ConsultantCommented:
GMail is going for transparency-the best that (I know) is as below for considerations.
In what situations wouldn't you tell me about a request for my information?

We can't notify you if, for example, your account has been closed, or if we're legally prohibited from doing so. We sometimes fight to give users notice of a data request by seeking to lift gag orders or unseal search warrants.

I received an email from Google saying that someone has requested information related to my account. What does this mean?

It means we've received a request to disclose information that's either stored in your Google account or associated with it. Just because we receive a request doesn't necessarily mean that we did—or will—disclose any of the requested information. We have a rigorous process for reviewing these requests against legal requirements and Google's policies. We notify users about legal demands when appropriate, unless prohibited by law or court order.

In these emails, Google will not ask you to provide any personal information such as a password or social security number. If you get an email purportedly from Google that asks for this type of information, don't provide it. The email is probably a scam, so please report it to us.

What can I do about a request like this?

We're sorry, but we can't give you legal advice. You might be able to contact the person or agency asking us for your data. Of course you may want to consult a lawyer.

What kinds of data do you disclose for different products?

To answer that, let's look at four services from which government agencies in the U.S. commonly request information: Gmail, YouTube, Google Voice and Blogger. Here are examples of the types of data we may be compelled to disclose, depending on the ECPA legal process, the scope of the request, and what is requested and available. If we believe a request is overly broad, we will seek to narrow it.


Subscriber registration information (e.g., name, account creation information, associated email addresses, phone number)
IP addresses and associated time stamps

Court Order:

Non-content information (such as non-content email header information)
Information obtainable with a subpoena
Search Warrant:

Email content
Information obtainable with a subpoena or court order
Also thought thsi may be useful for your lawyer folks to advice better
SB 1411 -
"A California bill, SB 1411, would criminalize online impersonation, i.e. impersonating another actual person on the Internet. It would become a misdemeanor to knowingly and without consent credibly impersonating another actual person on the Internet, or other electronic means, in order to harm, intimidate, threaten, or defraud another person."
Da_Ch0senAuthor Commented:
Btan now that is something close to what I was looking for. Will follow up on Monday and read out this article closer and check if out. Most probably that's it.
Will update Monday

btanExec ConsultantCommented:
In fact, author queries are addressed saying no way to get origin ip, Google may not necessarily reveal though it can be attempted in request but still subjected to legislative restrictions.

For consideration as solution on below
ID: 40236733
ID: 40236042
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Digital Forensics

From novice to tech pro — start learning today.