OSINT for Email Lookup Tips
There are various ways, to search for an email address, such as social media, who owns the email, history and others. Here are some tips you can use
Data breach, as we know. A data breach can be used to find detailed information, the impact of a data breach is very broad depending on the content of the data. In many cases there are addresses, full names, cell phone numbers and email addresses. You can use data breach to search for information, there are lots of data brokers that you can use or you can search for the data breach yourself through forums, darknet or darkweb sites and others. For example like this
Customize it to your target, and always be careful with the data breach disclosure, because there are some risks if you don't have a clear legal basis and purpose.
You can take advantage of the password reset on each platrofm or target site that you want to collect. It should be noted that this requires research and knowledge of web programming and IT security, you must find endpoints and do research such as pentesting and then you use it to match the email address connected to whose account? Who owns it. Many social media platforms give us information about whether the email address is registered or not or if you have a lot of money you can buy APIs on each of these platforms or buy OSINT platforms, but if you have your own expertise you can create your own microservice and then input it into postman or create your automation tool like email finder. Example like this
Note that you need to know the email address or username or phone number or fingerpint (metadata) that you want to search for. You need to understand what web scraping is as well as understand web browsing and HTTP concepts
At this point it is the same as before, you need to understand the concept of web programming and the business flow of your platofrm or target site and pentesting, there are many sites or platforms such as social media that we can collect usernames, this cool name is username enumatrion, we can find out whether the username is registered or not? Then try using a password reset or advanced search to find the email address and phone number of the account owner, if found then valid. Example
You can search using email permutation, if you have found a username then when looking at the response it turns out to be censored like t***@gmail.com well you can use the email permutator to find which is probably a valid email, you can check by brute force or manually from the result (check the image)
It should be noted, you need to understand what the format of each platofrm or email server is like, for example, if the email address is connected to AD, it usually has a format such as first name.last name then followed by a domain, such as Microsoft email or business email, edu email or university email for example.
username "test jieyab wagyu" Domain "suyab.local" email "[email protected]"
For this if your target uses TLD domains like .com, .net. .id. As before, you need to understand the concept of email server and web server or web admin. So you can check the email header along with mx and spf and other attributes, every HTTP must have a header name you need to understand this. Then you can use whois also check dig command to find out who owns the domain. Here the example about MX and DMARC
- MX Record (Mail Exchange Record)
An MX record is a DNS setting that tells where emails for your domain should be delivered.
Example:
If your domain is example.com, the MX record might say:
10 mail.example.com
This means all emails sent to @example.com will go to the server mail.example.com.
Lower number = higher priority.
MX record must point to a hostname (not an IP address)
- DMARC (Domain-based Message Authentication, Reporting and Conformance)
DMARC is a security rule that helps protect your domain from fake or phishing emails.
It works with:
SPF (which checks who is allowed to send email from your domain)
DKIM (which checks if the email was changed in transit)
Example DMARC record:
_dmarc.example.com IN TXT "v=DMARC1; p=reject; rua=mailto:[email protected]"
This means:
Use DMARC version 1.
If an email fails the check, reject it.
Send reports to [email protected].
Conclusion
MX record = Where your email goes.
DMARC = How to protect your email from being used by spammers or hackers.
You can use web scrapping to search for email addresses on the internet. For this point, you need to know about programming and HTTP because each site has security such as WAF and other things, so you need to understand details about computers or IT security. Example code
import requests
from bs4 import BeautifulSoup
import re
# URL target
url = "https://example.com"
response = requests.get(url)
soup = BeautifulSoup(response.text, 'html.parser')
text = soup.get_text()
emails = re.findall(r"[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\.[a-zA-Z0-9-.]+", text)
unique_emails = list(set(emails))
print("Email ditemukan:")
for email in unique_emails:
print(email)
You can use the broker's data as well as the available OSINT tools platform. If you have more money you can subscribe to the OSINT tools available. As for the free ones like GHUNT, Holehe and others you can search for them in my repo
If you've ever heard the term malware or malicious software, you'll also know what malware and malware families are and the different types. In OSINT, especially for such as CTI (Cyber Threat Intel), it can be used to find out initial access, search data such as email addresses, passwords, cookies and data data that has been collected by malware stealers. From various platforms, there are dumps of malware stealers that you can search for an email address, password or other things depending on the data collected. For this case, it can be used to search for an email address
If you are looking for someone's email address or name, especially if they are educated people or scientists, lecturers or students, professionals and others. You can search for the name or email on scholar sites such as google schoolar, research gate, iee, scopus, sinta, publish or persih and etc. This can allow you to search for the email address, who owns the email, how to contact and so on. I often do this when I want to do knowledge research
Google dorking is a popular way to search for data such as email addresses, usernames, websites and more. You can do it manually or use automation tools available, a good dorking is to do a correct dork query such as site name or domain extension (.com, .net) and to do your search, or you can also use regex to do permutation to make it easier.
site:edu OR site:ac.id "<degree>. <name>" "@gmail.com"
If you understand what domain extensions like .com and other things are. You can take advantage of the meaning of domain extensions, for details see below
https://en.wikipedia.org/wiki/List_of_Internet_top-level_domains
As for other techniques such as Whois also check the Whois history, you can find out the owner of the domain or about the web, for example commercial sites, communities, tv and others, for example such as @gmail.com, @icloud.com, phone number, address and other things, well this email you can recognise there are many email formats that can be used for instructions or information about email.
*Soon i will added if there is a new technique OK!