The email address is used in most OSINT investigations. It happens that mail is the only thing you have and although many people believe that having only this information is a rather weak base, with the proper approach, it will be enough to get information about the object of study. In this post, we’ll discuss the tools and methods you can use to make OSINT based on an email address as efficient as possible.
The information associated with a particular email can vary greatly. It depends on several factors such as the age of the email address, how widely it has been used, whether it is associated with a regular email address, domain name, social networks, and so on.
While Google is one of the best places to start looking, it can sometimes be surprisingly inefficient for email addresses. The main reason is that pages, where people enter their email addresses (such as login pages), are not publicly visible to Google. However, you can find email addresses indexed by Google in other ways.
Use quotation marks to make your search effective. This will allow you to get only exact matches. For example: “[email protected]” will return more accurate results than searching only [email protected].
Among other things, you can use the internal search modifier for web pages that contain an email address string. Combined with the site: modifier, this can be an effective method of finding a business page that your target is related to.
For example, text with the modifiers site:targetcompany.com intext:[email protected] is much more likely will be successful than a traditional click-and-hope search. This method can be configured to search for a range of email addresses associated with your organization using the following search query: site:organisation.com intext:@organisation.com This query will return a list of all indexed email addresses on the company site.
Another proven effective strategy is to use the filetype: search operator to find your target’s email address. This will help you find the target’s email address hidden in PDF files or other types of documents. This way you can find: invoices, minutes of meetings, schedules of sports clubs or any other documents.
intext:”[email protected]” filetype:pdf
As you already understood, this query will find any PDF files containing Boris Johnson’s parliamentary email address. This is particularly effective when searching for e-mail messages associated with organizations that have a large number of documents on the Internet, such as government agencies or universities.
Separately, we want to mention Fagan Finder. It works similar to the Google file type: search, but allows you to combine different file types with a wider range of search engines.
Sometimes an email address is associated with a username or nickname. Use the first part of the email address to run through several search engines looking for information by username. If the address of your target is unique, then the chance to find the information you need increases. There are many browser tools that can do this, for example, you can use Sherlock. Installation guide here.
Pastes are a treasure trove of OSINT information. Databases contain data leaks, public records, chat logs, and dozens of other types of useful information, including email addresses. At the moment, Pastebin is one of the most widely used that has a built-in search engine. Pastebin is a website where you can store any text on the web for easy sharing. The website is primarily used by programmers to store snippets of source code or configuration information, but anyone can paste any type of text. The idea behind the site is to make it easier for people to exchange large amounts of text online.
Jake Kreps recently posted an interesting article about how to research Pastebins that are not listed and not showing up in Google search results. Jake’s article is worth a read, but with this Google search, you can find an email in a Pastebin dump found on a site (e.g. a hacker forum) that is either not indexed by Google or is so far down the list of search results that you’ve never come before it. get there:
Intext:”pastebin.com” AND [email protected] –inurl:”pastebin.com”
A HaveIBeenPwned website is a well-known tool for determining if an email address has been compromised, but it can also be used for OSINT purposes. In addition, HIBP will show you which of the compromised databases the mail was in. If you get this information, you will have an idea of how old your subject’s email address is, but more importantly, you will know what sites and services this account have (or used to have). HIBP contains hacked customer bases of MyFitnessPal, Myspace, AdultFriendFinder, Ancestry, Snapchat, and many other services. You can find out which sites and services your target has used and then use the username method mentioned in point #2.
Another great command line tool for detecting hacked email accounts is H8Mail. The Dehashed service offers a paid service that includes not only email addresses but also passwords. Looks tempting, but be warned: no matter where you live, getting someone’s password and accessing their email is generally illegal.
The Emailrep.io service is great for determining the age of an email account, regardless of whether it fell into phishing databases or not. This is useful for those who deal with phishing and spam, and also as a useful OSINT tool. When we tried it with several email addresses, it successfully identified several social networks associated with them, but be aware that it definitely doesn’t cover everything. To check your email, write down the following URL.
If you wish, you can also run the curl command from the command line to access the API:
If the email address exists, then you will get the following table
There is another tool – Spycloud, but unlike Emailrep.io it shows much less information.
Hunter is a great OSINT email tool. While its target audience is salespeople and recruiters, it’s also great for OSINT (although you’ll need to register). Hunter doesn’t work with regular email services like Gmail, but when an email address is associated with a domain owned by an organization, it’s incredibly useful.
As an example, I’m using Hunter to view email addresses associated with The New York Times domain, www.nytimes.com
We’ve got a list of all the email addresses associated with that domain, and Hunter is smart enough to figure out which sector of the organization they’re most likely to work in. You can also use the “sources” to expand your search by selecting the URL from which the data was retrieved.
Another useful feature is Hunter’s ability to predict an employee’s email address based on an already detected email address format. Hunter can show an email address based on the name you enter, so if we wanted to know if TNY has hired someone named “Maxim Kowalski, I could enter that name.
Companies like WhitePages use a large amount of data from hundreds of sources and can associate emails with other identifiers such as addresses and phone numbers. However, WhitePages is only worth buying if you’re looking for someone who lives in the United States. There is no WhitePages equivalent due to privacy laws in the UK, EU and many other countries, so its value as an email search tool is limited if your subject lives in the EU.
Twitter – Gmail Sync
The contact sync feature in some apps and services allows you to identify a subject’s social media profiles based on their email addresses. Aware-Online has done the research and written a great article about it, which I recommend you read in full.
This method involves creating a phantom Gmail account as well as a Twitter account in order to use the contact sync functionality to its full potential! Add the target email address as a Gmail contact, allow Twitter to sync with your contacts, and voila!
LinkedIn offers a lot of OSINT features, especially in terms of email research. In particular, you can set up a URL to check if a given email address is associated with a profile.
If your LinkedIn account is associated with email, you’ll see it.
There is also a way back. If you want to switch from LinkedIn to email in reverse? Mattias Wilson has done a lot of research on this topic and you can read his full post here. Matthias used the sync method mentioned above to link his Gmail account to other services and find someone he found on a LinkedIn email address. Since he knew their research subjects’ names, he used the E-mail Permutator to compile a list of possible email addresses. By putting all of this into Google Gmail and then looking at which addresses sync with LinkedIn profiles, you should be able to identify someone’s email address even if you don’t know it.
XToolbox has been providing diagnostic and search services for MX (mail exchange) servers for a long time. MxToolbox is not as useful when dealing with emails from popular email domains like Gmail or Yahoo Mail. However, when the research subject uses an email service with its own mail exchange server, which most large organizations do, it will help to find additional information. For further study, a good starting point is the IP address of the mail exchange server. From this, you can explore public IPs, nameservers, reverse IPs, and other network architectures to learn more about your subject’s organization and presence on the Internet.
Another useful feature of MxToolbox is email header analysis. The only drawback is that letters that come from the object of study directly to your mailbox are suitable for analysis. This is important because the header is overwritten if the email is sent from anywhere else. Instructions on where to get a header for analysis.
Spiderfoot is a fantastic tool for automating OSINT queries. How to set up and run Spiderfoot is the topic of a separate blog, but you can start using it right now because the documentation and support for the project are just great. You can choose from dozens of different modules, but there are a few designed specifically for email addresses that you’ll definitely want to include.
BotScout – Uses the botscout.com database to look up spam bot IP addresses and email addresses.
E-Mail – Identifies email addresses in all received data.
EmailFormat – Looks up email addresses on email-format.com.
Clearbit – With clearbit.com email search you can find names, addresses, domains and more.
IntelligenceX – Identify IP addresses, domains, email addresses and phone numbers with IntelligenceX.
In addition, there are several modules that automate checks using HaveIBeenPwned and Hunter.io, which we wrote about above.