This morning I received an email from a family member that was out of the norm. After confirming with them they didn’t even have their computer on at the time (nor any others in their house) it is clear their account was hacked.
She is using a GMail account and I took a look at the message headers and unfortunately the only IP addresses seen are internal to Google:
Delivered-To: ---email address removed--- Received: by 10.76.170.103 with SMTP id al7csp352256oac; Thu, 8 Nov 2012 04:49:34 -0800 (PST) Received: by 10.182.10.6 with SMTP id e6mr5513302obb.16.1352378974875; Thu, 08 Nov 2012 04:49:34 -0800 (PST) Return-Path: <---email address removed---> Received: from mail-ob0-f194.google.com (mail-ob0-f194.google.com [126.96.36.199]) by mx.google.com with ESMTPS id g3si24272819obb.102.2012.11.08.04.49.34 (version=TLSv1/SSLv3 cipher=OTHER); Thu, 08 Nov 2012 04:49:34 -0800 (PST) Received-SPF: pass (google.com: domain of ---email address removed--- designates 188.8.131.52 as permitted sender) client-ip=184.108.40.206; Authentication-Results: mx.google.com; spf=pass (google.com: domain of ---email address removed--- designates 220.127.116.11 as permitted sender) smtp.mail=---email address removed---; dkim=pass email@example.com Received: by mail-ob0-f194.google.com with SMTP id wd20so40318obb.1 for <---email address removed--->; Thu, 08 Nov 2012 04:49:34 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:from:date:message-id:subject:to:content-type; bh=KVctWfppYoZe638A5L2PpKSVcRBstM3C5hZvpXpbZW4=; b=xZgyRAvZMQKLuWo+s+PchtJ6eHOOurg6cqSsmku0LLL9Xe2lw8WFwIbAE0k5Pv57e7 nC7oRkrobe+64ee6ng/LtuSgkRjxGuCPbVUft4vkTyq9RF6S6t9RKHlOXmga0WTIHMZk 8tHakKbeSaxEQRmrS3+xzPAzRDGednWiK4pQ28vbTf/Z1N5dDMFfFlusNNT+gF+wVbub Z/Dew04SopaoTy7gnbYxCAINMohGerW4UAxPoFW8NIRnScwjntQBiFJGnMnpDKLJXt52 lSPbOdG+GB857AZuUBZ0/YaKCZM6RcI/doNsxU4NGea6trcWy1TOw6Z8QaHM7PK9xf9q ibWw== Received: by 10.60.171.200 with SMTP id aw8mr4753474oec.112.1352378521839; Thu, 08 Nov 2012 04:42:01 -0800 (PST) MIME-Version: 1.0 Received: by 10.182.30.168 with HTTP; Thu, 8 Nov 2012 04:41:41 -0800 (PST)
After that point the remainder is the standard message headers and body.
Unfortunately the last Received:
Received: by 10.182.30.168 with HTTP; Thu, 8 Nov 2012 04:41:41 -0800 (PST)
Doesn’t include the IP address of the web client connected.
Is there any further tracing that can be done at this point?
The only other clue is in the message body sending the recipient to: