12 OSINT Resources For E-mail Addresses – NixIntel (2023)

Most OSINT investigations involve an e-mail address at some point. Some start with an e-mail and nothing else. E-mail addresses can sometimes be a bit of a challenge but they can also provide a wealth of information about a subject. The rest of this post will look at a range of different tools and techniques that can be used to get the most from an e-mail address.

The amount of information available about a particular e-mail address can vary widely. This depends on a number of different factors, such as how old the e-mail address is, how widely the owner has published it on the internet, and whether the provider is a common e-mail provided like Gmail or Protonmail, or whether the e-mail address is tied to its own company domain name.

1. Google

12 OSINT Resources For E-mail Addresses – NixIntel (1)

Google is as good a place as any to start a search, but sometimes it can be of surprisingly limited value for finding e-mail addresses. The main reason for this is that the places where people use their e-mail addresses (such as account login pages) are not accessible to Google. Nevertheless there are still some useful ways to find e-mail addresses where Google has indexed them.

Use quotation marks to return exact matches only. Searching for [emailprotected] is more precise than searching for just [emailprotected].

The intext search modifier can also be used to find webpages where the e-mail address appears as a string. This can be particularly effective when combined with the site: modifier to search within the website of a company that your target is associated to. For example site:targetcompany intext:[emailprotected] is much more likely to be successful than just a hit-and-hope search. You could even tweak this technique to find a whole host of e-mail addresses associated to your target’s organisation with the following search term

site:organisation.com intext:@organisation.com

This would return all indexable e-mail addresses within the company’s website. This example shows you can use the following query to find all the e-mail addresses listed within the bbc.co.uk domain:

site:bbc.co.uk intext:@bbc.co.uk

Another really effective technique is to use the filetype: search operator find where your target’s e-mail address. This can find a target’s e-mail address hidden away inside PDF or other file types. This can reveal company documents, invoices, meeting minutes, sports club fixtures or any other kind of document. For example a search like:

intext:”[emailprotected]” filetype:pdf

(Video) Open-Source Intelligence (OSINT) in 5 Hours - Full Course - Learn OSINT!

Will find any PDFs containing Boris Johnson’s parliamentary e-mail address.

It’s particularly effective when searching for e-mails linked to organisations that have a lot of documents available on the web, such as government institutions or universities.

12 OSINT Resources For E-mail Addresses – NixIntel (2)

It’s also worth mentioning FaganFinder at this point. It works in a similar way to the Google filetype: search but it allows to combine different file types with a wider range of search engines.

2. Username

There’s often a link between someone’s e-mail address and their usernames. A good technique to try is to take the first part of a subject’s e-mail address and run it through a number of username search engines. So if you were trying to find out about more about [emailprotected], you’d target the username cryptoscammer666. The more unique an e-mail handle is, the more likely it is you’ll find a match. There are a number of browser based tools that can do this, but my favourite tool by far is Sherlock (set up and usage guide here).

12 OSINT Resources For E-mail Addresses – NixIntel (3)

Just a note of caution though. Attribution and association of usernames is far from certain. Just because two accounts or e-mail addresses have the same username doesn’t mean they’re linked. Further corroboration should be done where possible. In the picture above, I found multiple online accounts with the username “nixintel” – but only one is actually me!

3. Pastes

12 OSINT Resources For E-mail Addresses – NixIntel (4)

Pastes are a treasure trove of OSINT information. They contain data breaches, public records, chatroom logs, and dozens of other kinds of useful information – including e-mail addresses. Pastebin is by far the most widely-used and has its own built in search engine.

NetBootCamp also has a custom search tool that allows you to search simultaneously across multiple paste sites.

12 OSINT Resources For E-mail Addresses – NixIntel (5)

Earlier this year Jake Creps posted an interesting piece of research on how to locate Pastebin pastes that are unlisted and don’t show up in Google searches. I recommend you read Jake’s article in full, but by using the following Google search it would be possible to search for an e-mail in a Pastebin dump listed on a site (such as a hacking forum) that either wasn’t indexed by Google or was so far down the list of search results that it wasn’t visible:

(Video) The Creepiest OSINT Tool to Date

Intext:”pastebin.com” AND [emailprotected] –inurl:”pastebin.com”

4. HaveIBeenPwned

12 OSINT Resources For E-mail Addresses – NixIntel (6)

HaveIBeenPwned is a well-known resource for checking if an e-mail has been involved in a data breach, but it can also be of use for OSINT purposes. When you find an e-mail that’s been in a breach, HIBP will also show which data breaches it’s been in. This will give some idea as to how old an e-mail address is, but more importantly it’ll give you an idea as to which sites and services the target has (or had) accounts for. HIBP holds breaches for MyFitnessPal, Myspace, AdultFriendFinder, Ancestry, Snapchat, and many, many others. Identifying the breaches your target’s e-mail has been in allows you to identify which sites or services they have used and begin working from there, perhaps with the username technique mentioned in point #2 above.

H8Mail is also a great command-line tool for identifying breached e-mails. Dehashed offers a similar paid-for service that includes the passwords as well as the e-mail addresses, but a note of caution here: whichever country you live in, it’s almost certain that obtaining someone’s password and accessing their e-mail without their authorisation is a criminal offence. It’s certainly far beyond the scope of what can properly be called OSINT.


12 OSINT Resources For E-mail Addresses – NixIntel (7)

Emailrep.io is a great service designed to identify the age of an e-mail account, whether or not it’s linked to phishing, and which other social media accounts it is known to be associated to. This is useful for those dealing with phishing and spammers, but it’s also handyas an OSINT tool. I’ve tried it with several e-mail addresses and it has successfully identified a number of social media services associated to those e-mails, but just be aware that it by no means capture all of them. To check an e-mail, use the following URL:


You can also query the API directly from the command line with the curl command:

curl emailrep.io/[emailprotected]

Both methods produce a JSON file containing a lot of useful information. Here’s an example for the e-mail address [emailprotected]:

$ curl emailrep.io/[emailprotected]{ "email": "[emailprotected]", "reputation": "high", "suspicious": false, "references": 25, "details": { "blacklisted": false, "malicious_activity": false, "malicious_activity_recent": false, "credentials_leaked": true, "credentials_leaked_recent": false, "data_breach": true, "first_seen": "07/01/2008", "last_seen": "02/25/2019", "domain_exists": true, "domain_reputation": "high", "new_domain": false, "days_since_domain_creation": 7179, "suspicious_tld": false, "spam": false, "free_provider": false, "disposable": false, "deliverable": true, "accept_all": true, "valid_mx": true, "spoofable": false, "spf_strict": true, "dmarc_enforced": true, "profiles": [ "foursquare", "pinterest", "facebook", "linkedin", "twitter", "spotify", "gravatar" ] }

Pretty useful eh?

Spycloud has a similar tool, but it returns a much smaller amount of data. The URL to search with is:


(Video) OSINT At Home #10– How to map anything with freely available location data

12 OSINT Resources For E-mail Addresses – NixIntel (8)

The above image shows the results for a query into [emailprotected]. As you can see it returns much less information than Emailrep.

6. Hunter.io

12 OSINT Resources For E-mail Addresses – NixIntel (9)

Hunter is an awesome e-mail OSINT tool. It’s aimed at sales and recruitment professionals but that makes it great for OSINT too (you’ll need to register though). It doesn’t work with common e-mail providers like Gmail, but where an e-mail address is linked to an organisation’s own domain then Hunter is extremely useful. In this example I’ll use Hunter to look at e-mail addresses linked to the domain of the Guardian newspaper, theguardian.com.

12 OSINT Resources For E-mail Addresses – NixIntel (10)

Hunter brings back a list of all the e-mail addresses that it has identified as being linked to that domain, and it’s smart enough to identify which sector of the organisation they most likely work in. It also references the URL where the data was scraped from, which allows you to expand your search further by selecting the “sources” dropdown option on the right hand side. The URLs also stay referenced, even if the original page has been deleted.

12 OSINT Resources For E-mail Addresses – NixIntel (11)

Another useful feature is the ability of Hunter to predict the e-mail address of someone who works at that organisation, based on the format of email addresses it has already discovered. For example if I wanted to check if The Guardian employed someone called “Nix Intel”, I could enter the name into Hunter to predict the likely e-mail address. Even if it doesn’t find any matches, learning the e-mail format allows you to construct possible e-mails and try to find matches on other platforms like LinkedIn (see below).

7. WhitePages

12 OSINT Resources For E-mail Addresses – NixIntel (12)

WhitePages and similar services are useful for reverse e-mail lookups. These companies sit on a vast pile of data from hundreds of sources and can help link e-mails to other identifiers like addresses and phone numbers. However WhitePages is only worth paying for if you’re researching subjects in the US. Data protection and privacy laws mean that it isn’t possible for there to be a UK or EU equivalent to WhitePages, so it’s of limited value as an e-mail lookup tool if your subject resides in the EU.

8. Twitter – Gmail Sync

12 OSINT Resources For E-mail Addresses – NixIntel (13)

Using the contact sync feature on some apps and services allows you to use an e-mail address to identify a subject’s other social media profiles. Aware-Online researched and wrote a great article on this which I recommend you go and read in full. The technique involves creating a ghost Gmail profile and also a Twitter profile linked to the same account. Simply add your target e-mail as a Gmail contact, let Twitter sync with your Gmail contacts and hey presto – if your target e-mail has a Twitter account associated to it then you’ll be able to see it.

9. LinkedIn

12 OSINT Resources For E-mail Addresses – NixIntel (14)

(Video) OSINT At Home #9 – My Top 4 Free Satellite Imagery Sources

LinkedIn is full of OSINT opportunities, including for e-mail research. LinkedIn allows you to tweak a URL to see if there is a profile linked to any given e-mail account. The URL is as follows:


If there is a LinkedIn account associated to the e-mail, it’ll be displayed.

Osint.support now also has a browser add-on available to automatically match LinkedIn accounts to e-mail addresses, and there’s also a web portal to do this at ThumbTube.

But what if you want to work the other way round from a LinkedIn Profile to an e-mail? Matthias Wilson did some excellent research into this topic and really you should read his full post here. In a similar way to the Twitter method mentioned above, Matthias used the way in which Gmail syncs with other services to try to find the e-mail address of someone he found on LinkedIn. He knew their name, and so he used E-mail Permutator to generate a list of probable e-mail addresses. Entering all these into Gmail and then seeing which addresses sync with a LinkedIn profile helps to identify the person’s e-mail address, even if you don’t know it at the outset.

10. MxToolbox

12 OSINT Resources For E-mail Addresses – NixIntel (15)

MxToolbox is a long-established service for diagnostics and lookups for MX (mail exchange) servers. It isn’t so useful for e-mails from popular e-mail domains like Gmail, but where a subject uses an e-mail service with its own mail exchange server (which most large organisations typically do), MxToolbox can help. Identifying a mail exchange server IP address can be a good starting point to move on and look at shared IP addresses, nameservers, reverse IP and other network architecture in order to learn more about your subject’s organisation and web presence. I wrote a previous blog post about that here and here, but an MX server can be a great starting point for these kind of OSINT enquiries.

MxToolbox also offers an e-mail header analysis service. The limitation of this is that you need to be in possession of an e-mail directly from your subject, since the header is overwritten if an e-mail is sent on elsewhere. If you do have an e-mail header (find out how to obtain one here), MxToolbox is able to identify the originating IP address, amongst other things. There is a limitation to this though – the increasing prevalence of cloud-based e-mail services like Office365 means that the originating IP address is much more likely to come from a cloud service provider, and not a location linked directly to the subject.

11. WhoIs

12 OSINT Resources For E-mail Addresses – NixIntel (16)

There’s no doubt that WhoIs is much less useful as an OSINT than it once was due to the rise of anonymising services and legislation like GDPR. However there are still plenty of e-mail addresses linked to WhoIs domain and IP records, either as registrants, tech support, or even abuse contacts. There are a few tools that can search WhoIs records, but ViewDNS have a nice simple interface for checking e-mails against registrant information here.

12. Spiderfoot

12 OSINT Resources For E-mail Addresses – NixIntel (17)

Spiderfoot is a fantastic tool for automating OSINT queries. Explaining how to set up and run Spiderfoot would be a separate blog post altogether (coming soon…) but it‘s a well-supported tool with great documentation. There are dozens of different search modules available but there are a few specific to e-mail addresses that you’ll want to enable. Some of these are:

(Video) OSINT: You can't hide // Your privacy is dead // Best resources to get started

BotScoutSearches botscout.com’s database of spam-bot IPs and e-mail addresses.
E-MailIdentify e-mail addresses in any obtained data.
EmailFormatLook up e-mail addresses on email-format.com.
BuiltWithQuery BuiltWith.com’s Domain API for information about your target’s web technology stack, e-mail addresses and more.
ClearbitCheck for names, addresses, domains and more based on lookups of e-mail addresses on clearbit.com.
IntelligenceXObtain information from IntelligenceX about identified IP addresses, domains, e-mail addresses and phone numbers.

There are plenty of others, including some modules that will automate checks with HaveIBeenPwned and Hunter.io that I’ve desrcibed above.

Simply give your search a title, enter the e-mail address you’re searching for, make sure the relevant modules are enabled, and let Spiderfoot crawl away to find some results.

Are there any other good e-mail tools and techniques that I’ve missed? Let me know on Twitter if there’s some others that I should include.


What is OSINT used for? ›

Open source intelligence (OSINT) is the act of gathering and analyzing publicly available data for intelligence purposes.

What is OSINT framework? ›

OSINT Framework, as its name implies, is a cybersecurity framework, a collection of OSINT tools to make your intel and data collection tasks easier. This tool is mostly used by security researchers and penetration testers for digital footprinting, OSINT research, intelligence gathering, and reconnaissance.

Is it legal to use OSINT methods to get sensitive information? ›

OSINT sources are distinguished from other forms of intelligence because they must be legally accessible by the public without breaching any copyright or privacy laws. This distinction makes the ability to gather OSINT sources applicable to more than just security services.

What are some OSINT tools we can use for phishing email investigations? ›

theHarvester is an OSINT tool through which users can gather emails, subdomains, IPs, URLs and other pieces of data using numerous public data sources. On the passive side, theHarvester is capable of using search engines such as DuckDuckGo and Google.

Which tool is one of the most popular when collecting OSINT intelligence? ›

SpiderFoot. SpiderFoot is an OSINT tool designed specifically for investigation professionals. It's loved by cybersecurity intelligence experts who need to perform regular asset discovery or attack surface monitoring. The tool can access hundreds of open data sources and monitor the results in real-time.

How do I get started in OSINT? ›

To begin, select a single piece of information such as your full name, email address or username/alias, then start Google dorking and searching social media sites. Googles multitude of search operators is one of your most powerful skills, use it to find as much initial information as possible.

Is OSINT a hacker? ›

OSINT does not require its exponents to hack into systems or use private credentials to access data. Viewing someone's public profile on social media is OSINT; using their login details to unearth private information is not. In intelligence agency terms, OSINT is also information drawn from non-classified sources.

Where can OSINT be applied? ›

OSINT is primarily used in national security, law enforcement, and business intelligence functions and is of value to analysts who use non-sensitive intelligence in answering classified, unclassified, or proprietary intelligence requirements across the previous intelligence disciplines.

How much does OSINT cost? ›

The Corporate version, which costs $899 per month, includes a vulnerability search filter and premium support.

What is an example of open source information? ›

Information can also be considered open source if it is: Published or broadcast for a public audience (for example, news media content) Available to the public by request (for example, census data) Available to the public by subscription or purchase (for example, industry journals)

What is an open source search? ›

OpenSearch is a community-driven, Apache 2.0-licensed open source search and analytics suite that makes it easy to ingest, search, visualize, and analyze data. Developers build with OpenSearch for use cases such as application search, log analytics, data observability, data ingestion, and more.

What are the advantages of OSINT? ›

Without barriers to entry to find sources, investigators can quickly locate crucial pieces of data for their operations. Once investigative teams obtain data, they can follow the OSINT cycle to learn how to turn their data into useful intelligence, create OSINT reports, and share findings with the proper stakeholders.

Do private investigators use OSINT? ›

Initially used in the late 80's as a military tool by the United States, OSINT is now used by investigators, journalists, law enforcement, the public, and researchers throughout the world. By using OSINT tools, one can see a clearer picture of an overall case.

How long does it take to learn OSINT? ›

Live OSINT Training

The Open Source Intelligence Techniques (OSINT) training is a 3-day class which presents all of the latest advanced methods of locating online information.

Who can do OSINT? ›

Anyone that wants to learn OSINT, hackers, security professionals, investigators, people interested in security.

How do you gather intelligence? ›

Our principal techniques for gathering intelligence are:
  1. Covert Human Intelligence Sources or “agents”. ...
  2. Directed surveillance, such as following and/or observing targets;
  3. Interception of communications, such as monitoring emails or phone calls;

How is OSINT used in social engineering? ›

Open‐Source Intelligence (OSINT) is an increasingly popular tactic that hackers are using to target organizations and their employees. OSINT is the act of scraping data from publicly available sources. Attackers use the data obtained from OSINT gathering to craft realistic social engineering campaigns.

What is human source intelligence? ›

Human Intelligence (HUMINT) is the collection of information from human sources. The collection may be done openly, as when FBI agents interview witnesses or suspects, or it may be done through clandestine or covert means (espionage). Within the United States, HUMINT collection is the FBI's responsibility.

What are 3 examples of open source? ›

  • GNU/Linux.
  • Mozilla Firefox.
  • VLC media player.
  • SugarCRM.
  • GIMP.
  • VNC.
  • Apache web server.
  • LibreOffice.

How do you read an open source code? ›

How I learn an Open Source Codebase
  1. Some steps. Here's a sequence of events I go through when I'm trying to learn or contribute to an open source project:
  2. Contributing Guidelines. Look at the contributing guidelines first! ...
  3. Project setup. ...
  4. Follow the code. ...
  5. Break things. ...
  6. Log and step through. ...
  7. Conclusion.
May 14, 2018

What are the types of open source? ›

Types of open source software
  • Open source office software.
  • Open source accounting software.
  • Open source operating systems.
  • Open source website software.
  • Open source browsers and communication applications.
  • Open source IT security.
  • Images/multi-media.
  • Open source development tools.

What is the best and safest search engine? ›

10 BEST Private Search Engines: Secure Anonymous Search 2022
  • Comparison Of Some Top Secure Search Engine.
  • #1) Startpage.
  • #2) DuckDuckGo.
  • #3) searX.
  • #4) Qwant.
  • #5) Swisscows.
  • #6) MetaGer.
  • #7) Mojeek.
Aug 22, 2022

Is Google an open source search engine? ›

Regardless of concerns about code contributions, Barua says, a number of companies have switched from Solr to ElasticSearch, including Foursquare. Yes, both of these open source challengers are years behind Google's public search engine. But the point is that they're open source. Google is not.

What is closed source intelligence? ›

Closed Source Intelligence

Converse to OSINT, closed source intelligence (CSINT) is information gathered from sources that are not freely available to the community at large.

How many types of OSINT are there? ›

OSINT sources can be divided up into six different categories of information flow: Media, print newspapers, magazines, radio, and television from across and between countries.

What graphical tool is used for open source intelligence gathering? ›

Maltego is developed by Paterva and is used by security professionals and forensic investigators for collecting and analyzing open source intelligence. It can easily collect Information from various sources and use various transforms to generate graphical results.

Which tool is best for information gathering? ›

Information Gathering Tools
  • Questionnaires, surveys and checklists. Used when you want to collect a lot of information from people in a non-threatening way.
  • Personal interviews. ...
  • Documentation review. ...
  • Observation. ...
  • Focus group. ...
  • Case Studies.

What is maltego tool? ›

Maltego is a comprehensive tool for graphical link analyses that offers real-time data mining and information gathering, as well as the representation of this information on a node-based graph, making patterns and multiple order connections between said information easily identifiable.


1. How to Stalk People Effectively and Legally Through OSINT
2. OSINT Methodology for Usernames Part 2: Tools and Searches
(OSINT Dojo)
3. Finding Fraudsters Who Hide Behind Cloudflare
(SANS Cyber Defense)
4. OSINT tools to track you down. You cannot hide.
(David Bombal)
5. 20200712 OSINT Curious Webcast
(The OSINT Curious Project)
6. OSINT At Home #8 – Calculate time using shadows in a photo or video
Top Articles
Latest Posts
Article information

Author: Prof. Nancy Dach

Last Updated: 05/20/2023

Views: 6614

Rating: 4.7 / 5 (77 voted)

Reviews: 92% of readers found this page helpful

Author information

Name: Prof. Nancy Dach

Birthday: 1993-08-23

Address: 569 Waelchi Ports, South Blainebury, LA 11589

Phone: +9958996486049

Job: Sales Manager

Hobby: Web surfing, Scuba diving, Mountaineering, Writing, Sailing, Dance, Blacksmithing

Introduction: My name is Prof. Nancy Dach, I am a lively, joyous, courageous, lovely, tender, charming, open person who loves writing and wants to share my knowledge and understanding with you.