Email headers from messages sent via Gmail online client contain private IP addresses. What are these addresses?

When reading a raw email message including all of its headers, the Received: headers are best read from bottom to top. Here, I'll show an example of an email I've received on my GMail account

Delivered-To: [email protected]
Received: by x.x.x.x with SMTP id xxxxxxxx;
        Tue, 3 Sep 2013 xx:xx:xx -0700 (PDT)
Received: from a.b.c.com (a.b.c.com. [x.x.x.x])
        by mx.google.com with ESMTP id xxx;
        Tue, 03 Sep 2013 xx:xx:xx-0700 (PDT)
Received: from localhost (127.0.0.1) by a.b.c.com id xxx for [email protected]>; Tue, 3 Sep 2013 xx:xx:xx +0000 (envelope-from <[email protected]>)
From: xxxx<[email protected]>
Sender: xxxx <[email protected]>
Subject: xxxxxxxx

When you want to send an email, you give it to your service provider who will attach the first Received: header, and as the message passes through different relays and mail servers, each one of them attaches its own address until the message reaches its final destination - the recipient's service provider.

So what you're seeing there in the first Received: header is actually GMail's server. That's why you have it in all of your messages, because that's where all the messages end up in your case, in your account on GMail's servers.

Please note that there's really no way to reliably identify the IP address of an email sender. However, Received: header chain can give you some idea.


Each email server (using the SMTP protocol) adds a Received: header specifying who the server is, from where it got the email, and when. In your case, one of the servers internal to the Gmail architecture received the email, apparently through some HTTP interface, and that machine claims to have the specified IP address.

Let's see an example. "Alice Example" (Gmail user, address [email protected]) sends an email to here brother "Bob Example", owner of the example.com domain and the [email protected] email address. Bob finds the following header in his mailbox:

Return-Path: <[email protected]>
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on smtp.example.com
X-Spam-Level:
X-Spam-Status: No, score=-0.7 required=5.0 tests=FREEMAIL_FROM,HTML_MESSAGE,
        RCVD_IN_DNSWL_LOW,SPF_PASS,T_DKIM_INVALID autolearn=disabled
        version=3.3.2
X-Original-To: [email protected]
Delivered-To: [email protected]
Received: from mail-ee0-f54.google.com (mail-ee0-f54.google.com [74.125.83.54])
        by smtp.example.com (Postfix) with ESMTP id 56C8520390
        for <[email protected]>; Thu,  5 Sep 2013 14:21:21 +0200 (CEST)
Received: by mail-ee0-f54.google.com with SMTP id e53so864366eek.13
        for <[email protected]>; Thu, 05 Sep 2013 05:21:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:date:message-id:subject:from:to:content-type;
        bh=0zesmB8vj1jNhyDLWCXsRKUD13aND4CAAU820514d0w=;
        b=N23J2OcAYXeyQct0JWqbGk68bACsXlk47ETNGj+YlOua8iQk6t+EtyW1SoaryS5c1B
        FlWybsPDbJpb3zkuJNvq6o6o1JD2qandN9GKERAyT1CS+bjjO/WyDHOtSDFQjoWNyTcr
        lY3cXxcaUdjsylpdHADmt7mbS7hYWlLwc6e0fvi9MY370xZ6gRrsRGt9yPX3KQTT2nOI
        oEB6ei3o5uSKDhHHftlz0MIrAoo1ZMfHiavmFkmHX+AnADabqu8kddhA3vWBeYOAo366
        ny3VMtO4AzrUoN9sfrlCbGauQ43+a8B+5CxcsRkVs395WtLojNIhDhlmiSJz+exNjqla
        hlzA==
MIME-Version: 1.0
X-Received: by 10.14.107.68 with SMTP id n44mr13246148eeg.26.1378383680460;
        Thu, 05 Sep 2013 05:21:20 -0700 (PDT)
Received: by 10.15.90.131 with HTTP; Thu, 5 Sep 2013 05:21:20 -0700 (PDT)
Date: Thu, 5 Sep 2013 08:21:20 -0400
Message-ID: <CADXjcB87cEC=YF-_GSgYojmVdxGWF5QPE_=T3pPT9T6i8-BcjA@mail.gmail.com>
Subject: essai
From: Alice Example <[email protected]>
To: Bob Example <[email protected]>
Content-Type: multipart/alternative; boundary=001a11c29ad2a386e504e5a1f573

The headers are added on top by each successive server, so the first Received: (and headers which come before that) was added by the last SMTP server, i.e. smtp.example.com. The contents of that header mean that this server received the email from another server who claimed to be named mail-ee0-f54.google.com, and had IP address 74.125.83.54, and that IP address resolves (through reverse DNS) to mail-ee0.f54.google.com (the same name as the claimed name, which is good).

The last Received: header was the one which was first added; it tells us that (apparently) the first SMTP-conscious server who received the email got it over HTTP (that is, a custom protocol which uses HTTP as transport) and that server has the name "10.15.90.131", which is an IP address. We may thus surmise that the Web server to which Alice's browser connected has, within Gmail's network, a private IP address (10.15.90.131). This does not tell us much, because it is a private IPv4 address so it has no meaning outside of Gmail's network.

In any case, that IP address does not indicate much about the IP address of Alice's machine (where she runs her browser). Possibly, Gmail's systems are spread throughout the World and Alice's connection was routed to a Web server in the "same area" (for improved performance). By analysing many headers from many emails, we might rebuild a sort of mapping from geographical area to internal IP address, giving a clue about current Alice's whereabouts. However, this would rely on undocumented assumptions about Gmail's network, and would be crude. Note that this first internal SMTP server uses the PDT time zone, corresponding to North America's West coast, while (in that case) Alice's machine is in North America's East cost, more than 4000 km away from the Pacific.

Summary: the IP addresses you see relate to the servers in Gmail's systems, and are not really related to the client's address. It is the internal address of the server which first received the email. What is relevant for privacy is that the same server did not specify the IP address of the client; the address you see is not a "scrambled" client's IP address; it is another unrelated address.


There are normally multiple Received: headers in an email and the order in which they are listed is important. Normally you can't determine the meaning of a Received: header without seeing all of the received headers to determine which ones can be trusted.

This one is a bit special. The with HTTP indicates that the person was using the web interface to Gmail and that IP address is the internal IP address of the web server that handled their request.

In Gmail, you can see the IP addresses that are using your account, whether by the web interface or a desktop or mobile client.

Scroll to the bottom. Look on the right hand side where it says:

Last account activity: 7 minutes ago
Open in 1 other location Details

And click on "Details".

In that pop-up you will see all recent activity, IP addresses and countries along with a button to allow you to sign all other clients out.

Tags:

Email