16

Someone has sent a sensitive email from my Gmail account. I wanted to trace the IP address by checking out the Received: by X field in the header of the sent message.

However, every message that is sent from Gmail and that I check the header from has (the same) private IP address in the Received: by X section. The field always looks like this:

Received: by 10.42.43.138 with HTTP; {Date}

Where does this IP come from? Why is this the 'Received by' IP address in all sent messages? Messages sent via email clients (like Apple Mail) do show correct 'Received by' IP addresses. Is this some kind of privacy thing Gmail does?

schroeder
  • 123,438
  • 55
  • 284
  • 319
codd
  • 263
  • 1
  • 2
  • 5
  • this keeps happening in some of my replies to some people...does anyone know how to remove all those headers? it only happens for one of my gmail accounts, but not the other... –  Jan 05 '14 at 01:52

6 Answers6

16

When reading a raw email message including all of its headers, the Received: headers are best read from bottom to top. Here, I'll show an example of an email I've received on my GMail account

Delivered-To: MYEMAIL@gmail.com
Received: by x.x.x.x with SMTP id xxxxxxxx;
        Tue, 3 Sep 2013 xx:xx:xx -0700 (PDT)
Received: from a.b.c.com (a.b.c.com. [x.x.x.x])
        by mx.google.com with ESMTP id xxx;
        Tue, 03 Sep 2013 xx:xx:xx-0700 (PDT)
Received: from localhost (127.0.0.1) by a.b.c.com id xxx for MYEMAIL@gmail.com>; Tue, 3 Sep 2013 xx:xx:xx +0000 (envelope-from <bounce-xxxxxxxx@c.com>)
From: xxxx<xxxxx@xxxxx.com>
Sender: xxxx <xxxx@a.b.c.com>
Subject: xxxxxxxx

When you want to send an email, you give it to your service provider who will attach the first Received: header, and as the message passes through different relays and mail servers, each one of them attaches its own address until the message reaches its final destination - the recipient's service provider.

So what you're seeing there in the first Received: header is actually GMail's server. That's why you have it in all of your messages, because that's where all the messages end up in your case, in your account on GMail's servers.

Please note that there's really no way to reliably identify the IP address of an email sender. However, Received: header chain can give you some idea.

Adi
  • 43,808
  • 16
  • 135
  • 167
  • Thanks for the clear answer. Follow up q: why is it that clients like Mail do append the actual client IP address, and the Gmail HTTP client does not? – codd Sep 06 '13 at 09:34
  • 5
    @codd: The `Received:` header contains the address of the **SMTP client**. For webmail, the SMTP client is the HTTP(s) server, not the browser. A desktop mail application is itself the SMTP client. – Ben Voigt Sep 28 '14 at 20:50
10

Each email server (using the SMTP protocol) adds a Received: header specifying who the server is, from where it got the email, and when. In your case, one of the servers internal to the Gmail architecture received the email, apparently through some HTTP interface, and that machine claims to have the specified IP address.

Let's see an example. "Alice Example" (Gmail user, address example@gmail.com) sends an email to here brother "Bob Example", owner of the example.com domain and the example@example.com email address. Bob finds the following header in his mailbox:

Return-Path: <example@gmail.com>
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on smtp.example.com
X-Spam-Level:
X-Spam-Status: No, score=-0.7 required=5.0 tests=FREEMAIL_FROM,HTML_MESSAGE,
        RCVD_IN_DNSWL_LOW,SPF_PASS,T_DKIM_INVALID autolearn=disabled
        version=3.3.2
X-Original-To: example@example.com
Delivered-To: example@example.com
Received: from mail-ee0-f54.google.com (mail-ee0-f54.google.com [74.125.83.54])
        by smtp.example.com (Postfix) with ESMTP id 56C8520390
        for <example@example.com>; Thu,  5 Sep 2013 14:21:21 +0200 (CEST)
Received: by mail-ee0-f54.google.com with SMTP id e53so864366eek.13
        for <example@example.com>; Thu, 05 Sep 2013 05:21:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:date:message-id:subject:from:to:content-type;
        bh=0zesmB8vj1jNhyDLWCXsRKUD13aND4CAAU820514d0w=;
        b=N23J2OcAYXeyQct0JWqbGk68bACsXlk47ETNGj+YlOua8iQk6t+EtyW1SoaryS5c1B
        FlWybsPDbJpb3zkuJNvq6o6o1JD2qandN9GKERAyT1CS+bjjO/WyDHOtSDFQjoWNyTcr
        lY3cXxcaUdjsylpdHADmt7mbS7hYWlLwc6e0fvi9MY370xZ6gRrsRGt9yPX3KQTT2nOI
        oEB6ei3o5uSKDhHHftlz0MIrAoo1ZMfHiavmFkmHX+AnADabqu8kddhA3vWBeYOAo366
        ny3VMtO4AzrUoN9sfrlCbGauQ43+a8B+5CxcsRkVs395WtLojNIhDhlmiSJz+exNjqla
        hlzA==
MIME-Version: 1.0
X-Received: by 10.14.107.68 with SMTP id n44mr13246148eeg.26.1378383680460;
        Thu, 05 Sep 2013 05:21:20 -0700 (PDT)
Received: by 10.15.90.131 with HTTP; Thu, 5 Sep 2013 05:21:20 -0700 (PDT)
Date: Thu, 5 Sep 2013 08:21:20 -0400
Message-ID: <CADXjcB87cEC=YF-_GSgYojmVdxGWF5QPE_=T3pPT9T6i8-BcjA@mail.gmail.com>
Subject: essai
From: Alice Example <example@gmail.com>
To: Bob Example <example@example.com>
Content-Type: multipart/alternative; boundary=001a11c29ad2a386e504e5a1f573

The headers are added on top by each successive server, so the first Received: (and headers which come before that) was added by the last SMTP server, i.e. smtp.example.com. The contents of that header mean that this server received the email from another server who claimed to be named mail-ee0-f54.google.com, and had IP address 74.125.83.54, and that IP address resolves (through reverse DNS) to mail-ee0.f54.google.com (the same name as the claimed name, which is good).

The last Received: header was the one which was first added; it tells us that (apparently) the first SMTP-conscious server who received the email got it over HTTP (that is, a custom protocol which uses HTTP as transport) and that server has the name "10.15.90.131", which is an IP address. We may thus surmise that the Web server to which Alice's browser connected has, within Gmail's network, a private IP address (10.15.90.131). This does not tell us much, because it is a private IPv4 address so it has no meaning outside of Gmail's network.

In any case, that IP address does not indicate much about the IP address of Alice's machine (where she runs her browser). Possibly, Gmail's systems are spread throughout the World and Alice's connection was routed to a Web server in the "same area" (for improved performance). By analysing many headers from many emails, we might rebuild a sort of mapping from geographical area to internal IP address, giving a clue about current Alice's whereabouts. However, this would rely on undocumented assumptions about Gmail's network, and would be crude. Note that this first internal SMTP server uses the PDT time zone, corresponding to North America's West coast, while (in that case) Alice's machine is in North America's East cost, more than 4000 km away from the Pacific.

Summary: the IP addresses you see relate to the servers in Gmail's systems, and are not really related to the client's address. It is the internal address of the server which first received the email. What is relevant for privacy is that the same server did not specify the IP address of the client; the address you see is not a "scrambled" client's IP address; it is another unrelated address.

Tom Leek
  • 168,808
  • 28
  • 337
  • 475
8

There are normally multiple Received: headers in an email and the order in which they are listed is important. Normally you can't determine the meaning of a Received: header without seeing all of the received headers to determine which ones can be trusted.

This one is a bit special. The with HTTP indicates that the person was using the web interface to Gmail and that IP address is the internal IP address of the web server that handled their request.

In Gmail, you can see the IP addresses that are using your account, whether by the web interface or a desktop or mobile client.

Scroll to the bottom. Look on the right hand side where it says:

Last account activity: 7 minutes ago
Open in 1 other location Details

And click on "Details".

In that pop-up you will see all recent activity, IP addresses and countries along with a button to allow you to sign all other clients out.

Ladadadada
  • 5,163
  • 1
  • 24
  • 41
  • That was my second idea! However, you can only see the ten last activities, and that one is from earlier. – codd Sep 05 '13 at 14:48
5

The IP addresses in the headers that you see are not related to the client who sent them if that is what you are thinking. The IP addresses that appear when analyzing the headers are of the mail gateways/servers that are involved between the sender and the receiver. The repeating IP would be the common mail gateway in the path of your email.

AdnanG
  • 707
  • 2
  • 8
  • 18
1

Gmail simply never reveals sender IP as per its policy. While this policy gives peace of mind to gmail user but at the same place grants abusers a cosy corner.

Asif Kazi
  • 11
  • 1
  • OP asked for `X-Received`, none of the answers above were about this header. X-Received does reveal sender IP for Google Apps services sometimes (but not Gmail). Anyone can make sense of the 10.0.0.0/8 address in `X-Received` header? – sdaffa23fdsf Dec 29 '16 at 23:57
-1

The copy of the sent mail has been delivered to your mailbox, therefore it contains the header Delivered-To: {your_email}. The copy in your friends mailbox will have the header Delivered-To: {friends_email}.

All POP clients (not just "some") place all fetched messages in the Inbox regardless of the internal headers. IMAP clients behave differently and show sent messages in the Sent Mail because they mirror the online database. In your POP client, you will have to add rules to move incoming messages "from:your_email" to the Sent folder. This is universally true with all POP clients and all POP servers that serve sent messages. You don't see it in some POP servers only because they only serve the messages that are in the Inbox whereas Gmail serves from the All Mail folder.

Aniko Hoover
  • 1