Finding private IP addresses in Email Headers

In some cases it may be necessary or helpful to find the private IP of a suspect. This can be difficult, especially since NAT is common in most networks. However, if a suspect is sending emails from a local client, the private, as well as public, address may be available in the email header.

If gmail is used with a local client (like Thunderbird, Outlook, etc.) then the email header should have the private IP address. Note that it is possible that some of the information is stripped by the client or client network before reaching the SMTP server. Take a look below:

----- Mail sent from Thunderbird using googlemail SMTP -----
Received: from [10.0.0.101] ([211.111.111.111]) <--- here you can see the private (10.0.0.101) and public (211.111.111.111) IP address of the sender connecting to the SMTP server.
by smtp.googlemail.com with ESMTPSA id <-- this line tells you that the message was received by SMTP
for <test@gmail.com>
Mon, 02 Nov 2015 23:01:38 -0800 (PST)
To: Joshua James <test@gmail.com>
From: "Joshua I. James" <test@gmail.com>


If the email is sent from the Gmail web interface (in the browser), the private IP address is NOT available. Google's server only sees the suspect's public IP address access the google web server.

------- Sent from gmail web interface ------
Received: by 10.50.10.233 with HTTP; <---- "with HTTP" means received via web interface on server 10.50.10.233 (google). The sender's IP is not shown.
Date: Tue, 3 Nov 2015 16:08:03 +0900
Subject: test2
From: "Joshua I. James" <test@gmail.com>
To: "Joshua I. James" <test@gmail.com>

If the header is only showing google's address, then the suspect must have been accessing the web interface (check for "with HTTP"). In that case, google will only have the public IP of the suspect.