12 OSINT Resources For E-mail Addresses – NixIntel (2023)

Most OSINT investigations involve an e-mail address at some point. Some start with an e-mail and nothing else. E-mail addresses can sometimes be a bit of a challenge but they can also provide a wealth of information about a subject. The rest of this post will look at a range of different tools and techniques that can be used to get the most from an e-mail address.

The amount of information available about a particular e-mail address can vary widely. This depends on a number of different factors, such as how old the e-mail address is, how widely the owner has published it on the internet, and whether the provider is a common e-mail provided like Gmail or Protonmail, or whether the e-mail address is tied to its own company domain name.

1. Google

12 OSINT Resources For E-mail Addresses – NixIntel (1)

Google is as good a place as any to start a search, but sometimes it can be of surprisingly limited value for finding e-mail addresses. The main reason for this is that the places where people use their e-mail addresses (such as account login pages) are not accessible to Google. Nevertheless there are still some useful ways to find e-mail addresses where Google has indexed them.

Use quotation marks to return exact matches only. Searching for [emailprotected] is more precise than searching for just [emailprotected].

The intext search modifier can also be used to find webpages where the e-mail address appears as a string. This can be particularly effective when combined with the site: modifier to search within the website of a company that your target is associated to. For example site:targetcompany intext:[emailprotected] is much more likely to be successful than just a hit-and-hope search. You could even tweak this technique to find a whole host of e-mail addresses associated to your target’s organisation with the following search term

site:organisation.com intext:@organisation.com

This would return all indexable e-mail addresses within the company’s website. This example shows you can use the following query to find all the e-mail addresses listed within the bbc.co.uk domain:

site:bbc.co.uk intext:@bbc.co.uk

Another really effective technique is to use the filetype: search operator find where your target’s e-mail address. This can find a target’s e-mail address hidden away inside PDF or other file types. This can reveal company documents, invoices, meeting minutes, sports club fixtures or any other kind of document. For example a search like:

intext:”[emailprotected]” filetype:pdf

(Video) Open-Source Intelligence (OSINT) in 5 Hours - Full Course - Learn OSINT!

Will find any PDFs containing Boris Johnson’s parliamentary e-mail address.

It’s particularly effective when searching for e-mails linked to organisations that have a lot of documents available on the web, such as government institutions or universities.

12 OSINT Resources For E-mail Addresses – NixIntel (2)

It’s also worth mentioning FaganFinder at this point. It works in a similar way to the Google filetype: search but it allows to combine different file types with a wider range of search engines.

2. Username

There’s often a link between someone’s e-mail address and their usernames. A good technique to try is to take the first part of a subject’s e-mail address and run it through a number of username search engines. So if you were trying to find out about more about [emailprotected], you’d target the username cryptoscammer666. The more unique an e-mail handle is, the more likely it is you’ll find a match. There are a number of browser based tools that can do this, but my favourite tool by far is Sherlock (set up and usage guide here).

12 OSINT Resources For E-mail Addresses – NixIntel (3)

Just a note of caution though. Attribution and association of usernames is far from certain. Just because two accounts or e-mail addresses have the same username doesn’t mean they’re linked. Further corroboration should be done where possible. In the picture above, I found multiple online accounts with the username “nixintel” – but only one is actually me!

3. Pastes

12 OSINT Resources For E-mail Addresses – NixIntel (4)

Pastes are a treasure trove of OSINT information. They contain data breaches, public records, chatroom logs, and dozens of other kinds of useful information – including e-mail addresses. Pastebin is by far the most widely-used and has its own built in search engine.

NetBootCamp also has a custom search tool that allows you to search simultaneously across multiple paste sites.

12 OSINT Resources For E-mail Addresses – NixIntel (5)

Earlier this year Jake Creps posted an interesting piece of research on how to locate Pastebin pastes that are unlisted and don’t show up in Google searches. I recommend you read Jake’s article in full, but by using the following Google search it would be possible to search for an e-mail in a Pastebin dump listed on a site (such as a hacking forum) that either wasn’t indexed by Google or was so far down the list of search results that it wasn’t visible:

(Video) OSINT: You can't hide // Your privacy is dead // Best resources to get started

Intext:”pastebin.com” AND [emailprotected] –inurl:”pastebin.com”

4. HaveIBeenPwned

12 OSINT Resources For E-mail Addresses – NixIntel (6)

HaveIBeenPwned is a well-known resource for checking if an e-mail has been involved in a data breach, but it can also be of use for OSINT purposes. When you find an e-mail that’s been in a breach, HIBP will also show which data breaches it’s been in. This will give some idea as to how old an e-mail address is, but more importantly it’ll give you an idea as to which sites and services the target has (or had) accounts for. HIBP holds breaches for MyFitnessPal, Myspace, AdultFriendFinder, Ancestry, Snapchat, and many, many others. Identifying the breaches your target’s e-mail has been in allows you to identify which sites or services they have used and begin working from there, perhaps with the username technique mentioned in point #2 above.

H8Mail is also a great command-line tool for identifying breached e-mails. Dehashed offers a similar paid-for service that includes the passwords as well as the e-mail addresses, but a note of caution here: whichever country you live in, it’s almost certain that obtaining someone’s password and accessing their e-mail without their authorisation is a criminal offence. It’s certainly far beyond the scope of what can properly be called OSINT.


12 OSINT Resources For E-mail Addresses – NixIntel (7)

Emailrep.io is a great service designed to identify the age of an e-mail account, whether or not it’s linked to phishing, and which other social media accounts it is known to be associated to. This is useful for those dealing with phishing and spammers, but it’s also handyas an OSINT tool. I’ve tried it with several e-mail addresses and it has successfully identified a number of social media services associated to those e-mails, but just be aware that it by no means capture all of them. To check an e-mail, use the following URL:


You can also query the API directly from the command line with the curl command:

curl emailrep.io/[emailprotected]

Both methods produce a JSON file containing a lot of useful information. Here’s an example for the e-mail address [emailprotected]:

$ curl emailrep.io/[emailprotected]{ "email": "[emailprotected]", "reputation": "high", "suspicious": false, "references": 25, "details": { "blacklisted": false, "malicious_activity": false, "malicious_activity_recent": false, "credentials_leaked": true, "credentials_leaked_recent": false, "data_breach": true, "first_seen": "07/01/2008", "last_seen": "02/25/2019", "domain_exists": true, "domain_reputation": "high", "new_domain": false, "days_since_domain_creation": 7179, "suspicious_tld": false, "spam": false, "free_provider": false, "disposable": false, "deliverable": true, "accept_all": true, "valid_mx": true, "spoofable": false, "spf_strict": true, "dmarc_enforced": true, "profiles": [ "foursquare", "pinterest", "facebook", "linkedin", "twitter", "spotify", "gravatar" ] }

Pretty useful eh?

Spycloud has a similar tool, but it returns a much smaller amount of data. The URL to search with is:


(Video) OSINT At Home #10– How to map anything with freely available location data

12 OSINT Resources For E-mail Addresses – NixIntel (8)

The above image shows the results for a query into [emailprotected]. As you can see it returns much less information than Emailrep.

6. Hunter.io

12 OSINT Resources For E-mail Addresses – NixIntel (9)

Hunter is an awesome e-mail OSINT tool. It’s aimed at sales and recruitment professionals but that makes it great for OSINT too (you’ll need to register though). It doesn’t work with common e-mail providers like Gmail, but where an e-mail address is linked to an organisation’s own domain then Hunter is extremely useful. In this example I’ll use Hunter to look at e-mail addresses linked to the domain of the Guardian newspaper, theguardian.com.

12 OSINT Resources For E-mail Addresses – NixIntel (10)

Hunter brings back a list of all the e-mail addresses that it has identified as being linked to that domain, and it’s smart enough to identify which sector of the organisation they most likely work in. It also references the URL where the data was scraped from, which allows you to expand your search further by selecting the “sources” dropdown option on the right hand side. The URLs also stay referenced, even if the original page has been deleted.

12 OSINT Resources For E-mail Addresses – NixIntel (11)

Another useful feature is the ability of Hunter to predict the e-mail address of someone who works at that organisation, based on the format of email addresses it has already discovered. For example if I wanted to check if The Guardian employed someone called “Nix Intel”, I could enter the name into Hunter to predict the likely e-mail address. Even if it doesn’t find any matches, learning the e-mail format allows you to construct possible e-mails and try to find matches on other platforms like LinkedIn (see below).

7. WhitePages

12 OSINT Resources For E-mail Addresses – NixIntel (12)

WhitePages and similar services are useful for reverse e-mail lookups. These companies sit on a vast pile of data from hundreds of sources and can help link e-mails to other identifiers like addresses and phone numbers. However WhitePages is only worth paying for if you’re researching subjects in the US. Data protection and privacy laws mean that it isn’t possible for there to be a UK or EU equivalent to WhitePages, so it’s of limited value as an e-mail lookup tool if your subject resides in the EU.

8. Twitter – Gmail Sync

12 OSINT Resources For E-mail Addresses – NixIntel (13)

Using the contact sync feature on some apps and services allows you to use an e-mail address to identify a subject’s other social media profiles. Aware-Online researched and wrote a great article on this which I recommend you go and read in full. The technique involves creating a ghost Gmail profile and also a Twitter profile linked to the same account. Simply add your target e-mail as a Gmail contact, let Twitter sync with your Gmail contacts and hey presto – if your target e-mail has a Twitter account associated to it then you’ll be able to see it.

9. LinkedIn

12 OSINT Resources For E-mail Addresses – NixIntel (14)

(Video) The Creepiest OSINT Tool to Date

LinkedIn is full of OSINT opportunities, including for e-mail research. LinkedIn allows you to tweak a URL to see if there is a profile linked to any given e-mail account. The URL is as follows:


If there is a LinkedIn account associated to the e-mail, it’ll be displayed.

Osint.support now also has a browser add-on available to automatically match LinkedIn accounts to e-mail addresses, and there’s also a web portal to do this at ThumbTube.

But what if you want to work the other way round from a LinkedIn Profile to an e-mail? Matthias Wilson did some excellent research into this topic and really you should read his full post here. In a similar way to the Twitter method mentioned above, Matthias used the way in which Gmail syncs with other services to try to find the e-mail address of someone he found on LinkedIn. He knew their name, and so he used E-mail Permutator to generate a list of probable e-mail addresses. Entering all these into Gmail and then seeing which addresses sync with a LinkedIn profile helps to identify the person’s e-mail address, even if you don’t know it at the outset.

10. MxToolbox

12 OSINT Resources For E-mail Addresses – NixIntel (15)

MxToolbox is a long-established service for diagnostics and lookups for MX (mail exchange) servers. It isn’t so useful for e-mails from popular e-mail domains like Gmail, but where a subject uses an e-mail service with its own mail exchange server (which most large organisations typically do), MxToolbox can help. Identifying a mail exchange server IP address can be a good starting point to move on and look at shared IP addresses, nameservers, reverse IP and other network architecture in order to learn more about your subject’s organisation and web presence. I wrote a previous blog post about that here and here, but an MX server can be a great starting point for these kind of OSINT enquiries.

MxToolbox also offers an e-mail header analysis service. The limitation of this is that you need to be in possession of an e-mail directly from your subject, since the header is overwritten if an e-mail is sent on elsewhere. If you do have an e-mail header (find out how to obtain one here), MxToolbox is able to identify the originating IP address, amongst other things. There is a limitation to this though – the increasing prevalence of cloud-based e-mail services like Office365 means that the originating IP address is much more likely to come from a cloud service provider, and not a location linked directly to the subject.

11. WhoIs

12 OSINT Resources For E-mail Addresses – NixIntel (16)

There’s no doubt that WhoIs is much less useful as an OSINT than it once was due to the rise of anonymising services and legislation like GDPR. However there are still plenty of e-mail addresses linked to WhoIs domain and IP records, either as registrants, tech support, or even abuse contacts. There are a few tools that can search WhoIs records, but ViewDNS have a nice simple interface for checking e-mails against registrant information here.

12. Spiderfoot

12 OSINT Resources For E-mail Addresses – NixIntel (17)

Spiderfoot is a fantastic tool for automating OSINT queries. Explaining how to set up and run Spiderfoot would be a separate blog post altogether (coming soon…) but it‘s a well-supported tool with great documentation. There are dozens of different search modules available but there are a few specific to e-mail addresses that you’ll want to enable. Some of these are:

(Video) OSINT At Home #6 – Find when an image was taken with satellite imagery

BotScoutSearches botscout.com’s database of spam-bot IPs and e-mail addresses.
E-MailIdentify e-mail addresses in any obtained data.
EmailFormatLook up e-mail addresses on email-format.com.
BuiltWithQuery BuiltWith.com’s Domain API for information about your target’s web technology stack, e-mail addresses and more.
ClearbitCheck for names, addresses, domains and more based on lookups of e-mail addresses on clearbit.com.
IntelligenceXObtain information from IntelligenceX about identified IP addresses, domains, e-mail addresses and phone numbers.

There are plenty of others, including some modules that will automate checks with HaveIBeenPwned and Hunter.io that I’ve desrcibed above.

Simply give your search a title, enter the e-mail address you’re searching for, make sure the relevant modules are enabled, and let Spiderfoot crawl away to find some results.

Are there any other good e-mail tools and techniques that I’ve missed? Let me know on Twitter if there’s some others that I should include.


Which of these are OSINT tools? ›

Top OSINT tools
  • Maltego.
  • Mitaka.
  • SpiderFoot.
  • Spyse.
  • BuiltWith.
  • Intelligence X.
  • DarkSearch.io.
  • Grep.app.
28 Jun 2021

What is GHunt? ›

GHunt lets individuals, or security experts, analyze a target's Google “footprint” based just on an email. The open source intelligence, or OSINT, tool can extract the account owner's name and Google ID, YouTube channel, and active Google services, including Photos and Maps.

Which tool automates information gathering from OSINT? ›


Recon-ng is a web reconnaissance and OSINT framework written in Python. It can automate the process of information-gathering by thoroughly and quickly exploring the open-source information on the web.

How many types of OSINT are there? ›

Different Kinds Of OSINT Gathering

OSINT gathering is done by using one of three primary methods, passive, semi-passive, and active. Using one rather than another is dependent on the scenario and the kind of intelligence that you are interested in.

Which of the following is a source for OSINT? ›

OSINT sources can be divided up into six different categories of information flow: Media, print newspapers, magazines, radio, and television from across and between countries.

How do I get started in OSINT? ›

To begin, select a single piece of information such as your full name, email address or username/alias, then start Google dorking and searching social media sites. Googles multitude of search operators is one of your most powerful skills, use it to find as much initial information as possible.

Are OSINT tools Legal? ›

Is OSINT illegal? While OSINT techniques are often used by malicious hackers as reconnaissance before they launch an illegal attack, for the most part the tools and techniques themselves are perfectly legal—after all, they're designed to help you home in on data that's published or otherwise in the public view.

What is OSINT in cyber security? ›

Open source intelligence (OSINT) is the act of gathering and analyzing publicly available data for intelligence purposes.

What is a Gaia ID? ›

Gaia is the ID management system for all Google products. This ID may be a e-mail address associated with a Google domain (for example, user@gmail.com ) or an e-mail address in another domain that has been configured by a Google Workspace domain administrator.

What can you do with a Google ID? ›

With a Google Account, you can do things like: Send and receive email using Gmail. Find your new favorite video on YouTube. Download apps from Google Play.

Is Google a Osint tool? ›

While there are many free and useful tools available to security professionals and threat actors alike, some of the most commonly used (and abused) open source intelligence tools are search engines like Google — just not as most of us know them.

What is better than maltego? ›

We have compiled a list of solutions that reviewers voted as the best overall alternatives and competitors to Maltego, including ActivTrak, Mimecast Email Security with Targeted Threat Protection, Crowdstrike Falcon Endpoint Protection Platform, and Intezer Analyze.

Why is OSINT important? ›

OSINT analysts are experts at finding and preventing threats to organizations. The range of online information that could harm your business is endless. Empowering a team to use OSINT tools and techniques will go a long way to ensuring your organization is a step ahead of online threats.

What is a common tool used for detailed information gathering? ›

Wireshark. Wireshark is one of the most well-known and often used packet sniffing tools available today. It is used by cybersecurity professionals, network administrators and hackers to collect information from networks.

Where can I practice OSINT? ›

https://www.reddit.com/r/Intelligence/ https://www.thecipherbrief.com/ https://www.bellingcat.com/tag/osint/ https://www.wired.com/category/security/

What are OSINT skills? ›

Open-source intelligence (OSINT) is the investigative practice of combing through freely available information to find specific data. It is used in many different capacities like law enforcement, missing persons, corporate investigations, and even in your personal life.

What are the different sources of intelligence? ›

These disciplines include human intelligence HUMINT), signals intelligence (SIGINT), imagery intelligence (IMINT), measurement and signatures intelligence (MASINT), and open source intelligence (OSINT). Each of these disciplines is used by adversaries against the United States to some degree.

How do OSINT tools work? ›

This tool uses the Google search engine to retrieve public PDFs, Word Documents, Powerpoint and Excel files from a given domain. It can then autonomously extract metadata from these documents to produce a report listing information like usernames, software versions, servers and machine names.

Is OSINT really intelligence? ›

OSINT is intelligence “drawn from publicly available material”, according to the CIA. Most intelligence experts extend that definition to mean information intended for public consumption.

What is maltego used for? ›

Maltego is a program that can be used to determine the relationships and real world links between: People. Groups of people (social networks) Companies.

What does an OSINT analyst do? ›

Open source intelligence (OSINT)

Analysts use OSINT to find weaknesses in security networks, identify threats or study market trends. With the amount of information available online, intelligence analysts must be able to discern which information is relevant and know where to find it.

What are the phases of OSINT? ›

Five steps of the OSINT cycle consists of Planning, Gathering, Analysis, Dissemination and Feedback.

Do private investigators use OSINT? ›

Technically, anyone who knows how to use the tools and techniques to access the information is using the process. However, the process is used formally by the United States intelligence community, the military, law enforcement, IT security professionals, private businesses, and private investigators.

Is OSINT framework free? ›

Is OSINT free? OSINT mines public sources of information, which usually means the Web, where most information is free. Some data collections and news sources might require a subscription for access.

What is an open source check? ›

Posted on August 13, 2018 November 29, 2021 by AMAC. An OSINT check is an open source intelligence check and can also be referred to as an internet/web mining check. It is used as part of a background screening check and looks at a candidate's online activity.

How can OSINT be used to track cyber criminals? ›

OSINT finds digital footprints that are publicly accessible in any format, including videos, images, conferences, research papers, webinars, etc. It is recognized as a legal activity as long as the person does not break the law, jeopardizes an individual's privacy, or violates the copyrights.

Why is open source intelligence important in cyber security? ›

Security teams must gather intelligence from every corner that they can. Open source threat intelligence software is essential for any enterprise using public data sources to inform their decision-making.

Is Nmap a OSINT tool? ›

Nmap is one of the most popular and widely used security auditing tools, its name means "Network Mapper". Is a free and open source utility utilized for security auditing and network exploration across local and remote hosts.

What graphical tool is used for open source intelligence gathering? ›

Maltego. Maltego is an OSINT and graphical link analysis tool for gathering and connecting information for investigative tasks.

What is OSINT used for? ›

Open source intelligence (OSINT) is the act of gathering and analyzing publicly available data for intelligence purposes.

Is Nmap considered OSINT? ›

It's a myth that OSINT is an Open Source Software like nmap. OSINT refers to any un-classified intelligence and includes anything freely available on the Web. OSINT sources include business websites, social networks, videos, forums, blogs, and news sources.

How do hackers use nmap? ›

Nmap can be used by hackers to gain access to uncontrolled ports on a system. All a hacker would need to do to successfully get into a targeted system would be to run Nmap on that system, look for vulnerabilities, and figure out how to exploit them. Hackers aren't the only people who use the software platform, however.

What is OSINT framework? ›

OSINT Framework, as its name implies, is a cybersecurity framework, a collection of OSINT tools to make your intel and data collection tasks easier. This tool is mostly used by security researchers and penetration testers for digital footprinting, OSINT research, intelligence gathering, and reconnaissance.

Is aircrack ng OSINT? ›

Key Features of Aircrack-ng

It is the best OSINT tool to crack WEP and WPA-PSK in Windows. It is created to uncover wireless passwords. It monitors and conducts pen-testing on wireless networks only.

What is maltego tool? ›

Maltego is software used for open-source intelligence and forensics, developed by Paterva from Pretoria, South Africa. Maltego focuses on providing a library of transforms for discovery of data from open sources, and visualizing that information in a graph format, suitable for link analysis and data mining.

How do I get started in OSINT? ›

To begin, select a single piece of information such as your full name, email address or username/alias, then start Google dorking and searching social media sites. Googles multitude of search operators is one of your most powerful skills, use it to find as much initial information as possible.

What is better than maltego? ›

We have compiled a list of solutions that reviewers voted as the best overall alternatives and competitors to Maltego, including ActivTrak, Mimecast Email Security with Targeted Threat Protection, Crowdstrike Falcon Endpoint Protection Platform, and Intezer Analyze.

Is OSINT a hacker? ›

OSINT does not require its exponents to hack into systems or use private credentials to access data. Viewing someone's public profile on social media is OSINT; using their login details to unearth private information is not. In intelligence agency terms, OSINT is also information drawn from non-classified sources.

Are OSINT tools Legal? ›

Is OSINT illegal? While OSINT techniques are often used by malicious hackers as reconnaissance before they launch an illegal attack, for the most part the tools and techniques themselves are perfectly legal—after all, they're designed to help you home in on data that's published or otherwise in the public view.

How do you collect intelligence information? ›

Our principal techniques for gathering intelligence are:
  1. Covert Human Intelligence Sources or “agents”. ...
  2. Directed surveillance, such as following and/or observing targets;
  3. Interception of communications, such as monitoring emails or phone calls;

Is it legal to use nmap? ›

Network probing or port scanning tools are only permitted when used in conjunction with a residential home network, or if explicitly authorized by the destination host and/or network. Unauthorized port scanning, for any reason, is strictly prohibited.

What happens when you Nmap Google? ›

It discovers open/firewalled/redirected ports, identifies the type of system and (eventual) IDS, gives a unique fingerprint to track the host and shows the type of remote services, all with fallback automation.

Is Nmap a malware? ›

The Nmap project has been wrongfully labeled as a cybersecurity “threat” by Google Chrome's Safe Browsing service. The incident is the latest example of legitimate security tools becoming categorized in the same way as malware, phishing code, or malicious exploits.


1. OSINT tools to track you down. You cannot hide.
(David Bombal)
2. 20201004 OSINT Curious Webcast
(The OSINT Curious Project)
3. 20201101 The OSINT Curious Webcast
(The OSINT Curious Project)
4. Moving Past Just Googling It: Harvesting and Using OSINT | SANS@MIC Talk
(SANS Institute)
5. OSINT Methodology for Usernames Part 2: Tools and Searches
(OSINT Dojo)
6. 20200712 OSINT Curious Webcast
(The OSINT Curious Project)
Top Articles
Latest Posts
Article information

Author: Mrs. Angelic Larkin

Last Updated: 01/26/2023

Views: 6259

Rating: 4.7 / 5 (67 voted)

Reviews: 82% of readers found this page helpful

Author information

Name: Mrs. Angelic Larkin

Birthday: 1992-06-28

Address: Apt. 413 8275 Mueller Overpass, South Magnolia, IA 99527-6023

Phone: +6824704719725

Job: District Real-Estate Facilitator

Hobby: Letterboxing, Vacation, Poi, Homebrewing, Mountain biking, Slacklining, Cabaret

Introduction: My name is Mrs. Angelic Larkin, I am a cute, charming, funny, determined, inexpensive, joyous, cheerful person who loves writing and wants to share my knowledge and understanding with you.