how to find gmail originating ip ?

Posted on 2014-08-01
Last Modified: 2016-07-15
I am an IT person myself. one of my clients who have a gmail email.
his gmail has been hacked or the password has been guessed.
and an email was sent to the bank pretending being him.

The bank forwarded the email. and we would like to know if it was sent from our office, or was it hacked by an external hacker.

we tried tracing the email, but as expected, Gmail did hide the originating IP.

I had been trying to contact Gmail for the last week for assistance in this regards.
i need the ip of the sender (from my email) or the IP of whoever logged into my account at that specific time.

i understand a court order might be needed, that is no issue, but we need to contact gmail to even send them the court order.

any ideas guys ?
Question by:Da_Ch0sen
    LVL 82

    Expert Comment

    by:Dave Baldwin
    Here's the Google Product contact page and it actually has a phone number.
    LVL 10

    Expert Comment

    by:Schuyler Dorsey
    View the full message headers of the email. It MIGHT show the IP address the message was sent from.

    If it were an on-premise email server, it would for sure show it. I am not 100% sure about gmail with it being a cloud only solution and whether or not the originating IP will only show gmail servers or not.

    It's at least a direction to look though.
    LVL 10

    Expert Comment

    by:Schuyler Dorsey
    Also once you login to Gmail, click on Details under Account Activity at the bottom right. It lists the IPs which logged into the service under your account.
    LVL 1

    Author Comment

    The phone number and the contact page is not much of help. I suited my form a week ago and no reply. And their phone number is 100% useless automation.

    I did check the headers of course. The originating ip is the gmail server.

    And the account activity only shows the last 10 logins. That is the first thing I looked at. But my client took a whole to contact me and it was too late.

    Any other ideas guys ?
    LVL 60

    Expert Comment

    Should first change the password and change to the 2-step verification system  I.e password and sms code.

    check recent activity

    can also retry google reporting

    It’s worth noting that you usually won’t be able to get the exact location of the actual person who sent the email. For example, if someone in Germany sends you an email using Gmail, the last IP address in the header section will probably be the public IP address assigned to that user from the ISP, which will give you the location of the user ranging from within a mile all the way to the city or region level.

    for email header analyser

    for impersonation, you can see Google stand
    If you believe someone has created a Gmail address in an attempt to impersonate your identity, you may wish to file a report with the Internet Crime Complaint Center (, a partnership between the Federal Bureau of Investigation and the National White Collar Crime Center.

    In addition, we recommend contacting your state's Office of Consumer Protection.

    Gmail is unable to participate in mediations involving third parties regarding impersonation. To read the Gmail Terms of Use, please visit:
    LVL 1

    Author Comment

    Thanks for trying to help. But as mentioned earlier. I am not the attacked. I am the IT security consultant for the attacked person (my client) so I already went through these links you guys keep on sending to me from google website. And I know I have to change the password before another email leaves with a new fraud. Can we move the level of support to a higher level please ?
    The originating ip (which what we need) is not in recent activity, and it is not in the header. Gmail hid that  ip from the header.
    LVL 60

    Accepted Solution

    There is no technical way to get the ip-address of someone sending an email via the gmail web interface. Google does not put it into the email headers. And there is no API to query Gmail for it.

    There is no X-Originating-IP or any header which gives any sender IP details. As noted, this is no surprise and even then X-* headers are optional headers and not required by the SMTP protocol.

    Food for thought - Even if there was sender IP information in the message, it is largely useless. Many users don't have static IP addresses. ISPs assign IP addresses from a pool of available IPs. Many sites use NAT and other mapping techniques so that all hosts on their internal network have non-routable private IP addresses. Users can access gmail from any Internet connected system which has a web browser, such as an internet cafe, public wireless netowrks, etc. Many web connections pass through proxies. From the Gmail perspective, the IP the client is connecting from is the proxy IP, not the IP of the sender's PC (there is X-Forwarded-For if enabled but not default enabled)

    If you really need that IP address for valid reasons, you need to go the legal way. And this will involve bringing in some form of government authority - you can't do it on your own.
    LVL 1

    Author Comment

    Thanks got all of the above. I am aware of all what is said. And I am also aware that Gmail will not disclose information to me. But I need to know what is the legal way to do it. In order to get the originating IP.
    we have a lawyer who can get the court order for that and proceed.
    I once the ip is disclosed. We can check with the ISP to see who had that IP at that time. Our main concern is that it is an internal act and the fraud was sent from my clients office.
    Disclosing the ip of the sender (from Gmail with a legal act) can identify whether it was one of our employees in our office or not. As we know what was our ip at that moment.
    LVL 60

    Assisted Solution

    GMail is going for transparency-the best that (I know) is as below for considerations.
    In what situations wouldn't you tell me about a request for my information?

    We can't notify you if, for example, your account has been closed, or if we're legally prohibited from doing so. We sometimes fight to give users notice of a data request by seeking to lift gag orders or unseal search warrants.

    I received an email from Google saying that someone has requested information related to my account. What does this mean?

    It means we've received a request to disclose information that's either stored in your Google account or associated with it. Just because we receive a request doesn't necessarily mean that we did—or will—disclose any of the requested information. We have a rigorous process for reviewing these requests against legal requirements and Google's policies. We notify users about legal demands when appropriate, unless prohibited by law or court order.

    In these emails, Google will not ask you to provide any personal information such as a password or social security number. If you get an email purportedly from Google that asks for this type of information, don't provide it. The email is probably a scam, so please report it to us.

    What can I do about a request like this?

    We're sorry, but we can't give you legal advice. You might be able to contact the person or agency asking us for your data. Of course you may want to consult a lawyer.

    What kinds of data do you disclose for different products?

    To answer that, let's look at four services from which government agencies in the U.S. commonly request information: Gmail, YouTube, Google Voice and Blogger. Here are examples of the types of data we may be compelled to disclose, depending on the ECPA legal process, the scope of the request, and what is requested and available. If we believe a request is overly broad, we will seek to narrow it.


    Subscriber registration information (e.g., name, account creation information, associated email addresses, phone number)
    Sign-in IP addresses and associated time stamps

    Court Order:

    Non-content information (such as non-content email header information)
    Information obtainable with a subpoena
    Search Warrant:

    Email content
    Information obtainable with a subpoena or court order
    Also thought thsi may be useful for your lawyer folks to advice better
    SB 1411 -
    "A California bill, SB 1411, would criminalize online impersonation, i.e. impersonating another actual person on the Internet. It would become a misdemeanor to knowingly and without consent credibly impersonating another actual person on the Internet, or other electronic means, in order to harm, intimidate, threaten, or defraud another person."
    LVL 1

    Author Comment

    Btan now that is something close to what I was looking for. Will follow up on Monday and read out this article closer and check if out. Most probably that's it.
    Will update Monday

    LVL 60

    Expert Comment

    In fact, author queries are addressed saying no way to get origin ip, Google may not necessarily reveal though it can be attempted in request but still subjected to legislative restrictions.

    For consideration as solution on below
    ID: 40236733
    ID: 40236042

    Featured Post

    Free Trending Threat Insights Every Day

    Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

    Join & Write a Comment

    One of my favorite tools to use with Google Drive is the offline access. Setting up offline access for Google Drive makes it easier for users to edit and view their docs, sheets and slides without Internet connection. Follow these steps to learn how…
    You can provide a virtual interface for remote stakeholders in a SWOT analysis through a Google Drawing template. By making real time viewing and collaboration possible, your team can build a stronger product.
    This Micro Tutorial will demonstrate using Google Doc how to import live data to another spreadsheet in Google Spreadsheets using the IMPORTRANGE function.
    In this Experts Exchange video Micro Tutorial, I'm going to show how small business owners who use Google Apps can save money by setting up what is called a catch-all email address in their Gmail accounts. By using the catch-all feature, small busin…

    729 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    24 Experts available now in Live!

    Get 1:1 Help Now