OSINT for Email Lookup Tips

OSINT for Email Lookup Tips

There are various ways, to search for an email address, such as social media, who owns the email, history and others. Here are some tips you can use

1. Data breach

Data breach, as we know. A data breach can be used to find detailed information, the impact of a data breach is very broad depending on the content of the data. In many cases there are addresses, full names, cell phone numbers and email addresses. You can use breach data to search for information, there are lots of data brokers that you can use or you can search for the breach data yourself through forums, darknet or darkweb sites and others. For example like this

Customize it to your target, and always be careful with the data breach disclosure, because there are some risks if you don't have a clear legal basis and purpose.

2. Reset password function

You can take advantage of the password reset on each platrofm or target site that you want to collect. It should be noted that this requires research and knowledge of web programming and IT security, you must find endpoints and do research such as pentesting and then you use it to match the email address connected to whose account? Who owns it. Many social media platforms give us information about whether the email address is registered or not or if you have a lot of money you can buy APIs on each of these platforms or buy OSINT platforms, but if you have your own expertise you can create your own microservice and then input it into postman. Example like this

Note that you need to know the email address or username or phone number or fingerpint (metadata) that you want to search for. You need to understand what web scraping is as well as understand web browsing and HTTP concepts

3. Username enumeration

At this point it is the same as before, you need to understand the concept of web programming and the business flow of your platofrm or target site and pentesting, there are many sites or platforms such as social media that we can collect usernames, this cool name is username enumatrion, we can find out whether the username is registered or not? Then try using a password reset or advanced search to find the email address and phone number of the account owner, if found then valid. Example

https://portswigger.net/burp/documentation/desktop/testing-workflow/authentication-mechanisms/guessing-usernames-for-known-users

https://portswigger.net/burp/documentation/desktop/testing-workflow/authentication-mechanisms/enumerating-usernames

4. Email permutation

You can search using email permutation, if you have found a username then when looking at the response it turns out to be censored like t***@gmail.com well you can use the email permutator to find which is probably a valid email

It should be noted, you need to understand what the format of each platofrm or email server is like, for example, if the email address is connected to AD, it usually has a format such as first name.last name then followed by a domain, such as Microsoft email or business email for example.

test.wagyu@suyab.local

5. Check MX and DMARC

For this if your target uses TLD domains like .com, .net. .id. As before, you need to understand the concept of email server and web server or web admin. So you can check the email header along with mx and spf and other attributes, every HTTP must have a header name you need to understand this. Then you can use whois also check dig command to find out who owns the domain. Here the example about MX and DMARC

• MX Record (Mail Exchange Record)

An MX record is a DNS setting that tells where emails for your domain should be delivered.

Example:

If your domain is example.com, the MX record might say:

10 mail.example.com

This means all emails sent to @example.com will go to the server mail.example.com.

Lower number = higher priority.

MX record must point to a hostname (not an IP address)

• DMARC (Domain-based Message Authentication, Reporting and Conformance)

DMARC is a security rule that helps protect your domain from fake or phishing emails.

It works with:

SPF (which checks who is allowed to send email from your domain)

DKIM (which checks if the email was changed in transit)

Example DMARC record:

_dmarc.example.com IN TXT "v=DMARC1; p=reject; rua=mailto:report@example.com"

This means:

Use DMARC version 1.

If an email fails the check, reject it.

Send reports to report@example.com.

Conclusion

MX record = Where your email goes.

DMARC = How to protect your email from being used by spammers or hackers.

6. Scrapping

You can use web scrapping to search for email addresses on the internet. For this point, you need to know about programming and HTTP because each site has security such as WAF and other things, so you need to understand details about computers or IT security. Example

import requests
from bs4 import BeautifulSoup
import re

# URL target
url = "https://example.com"

response = requests.get(url)
soup = BeautifulSoup(response.text, 'html.parser')

text = soup.get_text()

emails = re.findall(r"[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\.[a-zA-Z0-9-.]+", text)

unique_emails = list(set(emails))

print("Email ditemukan:")
for email in unique_emails:
    print(email)

7. Data broker or platform

You can use the broker's data as well as the available OSINT tools platform. If you have more money you can subscribe to the OSINT tools available. As for the free ones like GHUNT, Holehe and others you can search for them in my repo.

*Soon i will added if there is a new technique OK!