In the future, try two factor authentication

if you see an ip 94 something in there, that's mine, I resecured the wallet and fortunately I had no BTC in there when they went into it. Just wondering how they got into it in the first place, I think they got in my email to get the passcode that is generated anytime somebody attempts a login

I found the IP from the email from blockchain

Delivered-To: [email protected]
Received: by 10.180.77.227 with SMTP id v3csp66822wiw;
        Tue, 9 Apr 2013 08:56:06 -0700 (PDT)
X-Received: by 10.181.11.164 with SMTP id ej4mr20901257wid.29.1365522966205;
        Tue, 09 Apr 2013 08:56:06 -0700 (PDT)
Return-Path: <[email protected]>
Received: from mini1.blockchain.info ([91.203.74.106])
        by mx.google.com with ESMTP id u3si37726033eeg.221.2013.04.09.08.56.05;
        Tue, 09 Apr 2013 08:56:06 -0700 (PDT)
Received-SPF: softfail (google.com: domain of transitioning [email protected] does not designate 91.203.74.106 as permitted sender) client-ip=91.203.74.106;
Authentication-Results: mx.google.com;
       spf=softfail (google.com: domain of transitioning [email protected] does not designate 91.203.74.106 as permitted sender) [email protected]
Received: from 185.7.149.10 ([185.7.149.10])
          by mini1.blockchain.info (JAMES SMTP Server 2.3.2) with SMTP ID 75
          for <[email protected]>;
          Tue, 9 Apr 2013 16:56:05 +0100 (BST)
Date: Tue, 9 Apr 2013 16:56:05 +0100 (BST)
From: [email protected]
To: [email protected]
Message-ID: <507199439.6757.1365522963682.JavaMail.admin@server8>
Subject: My Wallet Confirmation Code
MIME-Version: 1.0
Content-Type: multipart/mixed;
   boundary="----=_Part_6756_665728387.1365522963680"

------=_Part_6756_665728387.1365522963680
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable







   

Helvetica, sans-serif !important; line-height: 1.5 !important;">




------=_Part_6756_665728387.1365522963680--

It seems like he found that IP from the website, not from the email. I was trying to see if we could figure out if the email was faked and figure out if he needs to worry about phishing.

The first response already identified the IP address as a Tor exit node. Further attempts to identify will be fruitless. You should focus on re-securing your funds, ideally sending all funds to a new blockchain wallet account with a new email address.

Secondly, the email may be a phishing attempt, do not click on any links in the email as they may go to a hacker's site that impersonates blockchain.info and attempts to trick you into putting in your credentials.

Quality   

You'll have to post it via the forums, I don't have access to your email account.

https://mail.google.com/mail/?ui=2&ik=1a9d5620df&view=om&th=13def82e6c8bd100

here are the headers or is the header

[email protected]

Confirmation Required

An attempt has been made to login to your My wallet account from ip address 95.211.6.197. Enter the confirmation code below to access your account. If it was not you who made this login attempt you can ignore this email.

Mind posting the full headers of the email?
http://whatismyipaddress.com/find-headers

you can lookup an ip add, here
http://whatismyipaddress.com/ip-lookup

but i don't think it will help alot.

 

Regarding the IP address, it's a TOR exit node so you'll never find out who it is by the IP address alone.

I had an email with my wallet confirmation code sent to me saying an attempt to login to my wallet account from I.P. address 95.211.6.197. has been made, whoever did it took off the wallet confirmation code part so now all they would need is the password. So I would thing they have my password. Is there any way to see what this I.P. address is?