> For the complete documentation index, see [llms.txt](https://jieyab89-osint.gitbook.io/jieyab89-osint-cheat-sheet-wiki-tips/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://jieyab89-osint.gitbook.io/jieyab89-osint-cheat-sheet-wiki-tips/intelligence-base/how-to-email-lookup-in-osint.md).

# OSINT for Email Lookup Tips

## OSINT for Email Lookup Tips

There are various ways, to search for an email address, such as social media, who owns the email, history and others. Here are some tips you can use

## 1. Data breach

Data breach, as we know. A data breach can be used to find detailed information, the impact of a data breach is very broad depending on the content of the data. In many cases there are addresses, full names, cell phone numbers and email addresses. You can use data breach to search for information, there are lots of data brokers that you can use or you can search for the data breach yourself through forums, darknet or darkweb sites and others. For example like this

<figure><img src="/files/wZbjFRvY098rWd3dAFNE" alt=""><figcaption></figcaption></figure>

Customize it to your target, and always be careful with the data breach disclosure, because there are some risks if you don't have a clear legal basis and purpose.

## 2. Reset password function

You can take advantage of the password reset on each platrofm or target site that you want to collect. It should be noted that this requires research and knowledge of web programming and IT security, you must find endpoints and do research such as pentesting and then you use it to match the email address connected to whose account? Who owns it. Many social media platforms give us information about whether the email address is registered or not or if you have a lot of money you can buy APIs on each of these platforms or buy OSINT platforms, but if you have your own expertise you can create your own microservice and then input it into postman or create your automation tool like email finder. Example like this

<figure><img src="/files/u22rFToWlw22S43COu2J" alt=""><figcaption></figcaption></figure>

Note that you need to know the email address or username or phone number or fingerpint (metadata) that you want to search for. You need to understand what web scraping is as well as understand web browsing and HTTP concepts

## 3. Username enumeration

At this point it is the same as before, you need to understand the concept of web programming and the business flow of your platofrm or target site and pentesting, there are many sites or platforms such as social media that we can collect usernames, this cool name is username enumatrion, we can find out whether the username is registered or not? Then try using a password reset or advanced search to find the email address and phone number of the account owner, if found then valid. Example

<https://portswigger.net/burp/documentation/desktop/testing-workflow/authentication-mechanisms/guessing-usernames-for-known-users>

<https://portswigger.net/burp/documentation/desktop/testing-workflow/authentication-mechanisms/enumerating-usernames>

## 4. Email permutation

You can search using email permutation, if you have found a username then when looking at the response it turns out to be censored like t\*\*\*@gmail.com well you can use the email permutator to find which is probably a valid email, you can check by brute force or manually from the result (check the image)

<figure><img src="/files/kEE7MM8lrWWRbDgviW5q" alt=""><figcaption></figcaption></figure>

It should be noted, you need to understand what the format of each platofrm or email server is like, for example, if the email address is connected to AD, it usually has a format such as first name.last name then followed by a domain, such as Microsoft email or business email, edu email or university email for example.

username "test jieyab wagyu" Domain "suyab.local" email "<test.wagyu@suyab.local>"

## 5. Check MX and DMARC

For this if your target uses TLD domains like .com, .net. .id. As before, you need to understand the concept of email server and web server or web admin. So you can check the email header along with mx and spf and other attributes, every HTTP must have a header name you need to understand this. Then you can use whois also check dig command to find out who owns the domain. Here the example about MX and DMARC

* MX Record (Mail Exchange Record)

An MX record is a DNS setting that tells where emails for your domain should be delivered.

Example:

If your domain is example.com, the MX record might say:

**10 mail.example.com**

This means all emails sent to @example.com will go to the server mail.example.com.

Lower number = higher priority.

MX record must point to a hostname (not an IP address)

* DMARC (Domain-based Message Authentication, Reporting and Conformance)

DMARC is a security rule that helps protect your domain from fake or phishing emails.

It works with:

SPF (which checks who is allowed to send email from your domain)

DKIM (which checks if the email was changed in transit)

Example DMARC record:

**\_dmarc.example.com IN TXT "v=DMARC1; p=reject; rua=**[**mailto:report@example.com**](mailto:report@example.com)**"**

This means:

Use DMARC version 1.

If an email fails the check, reject it.

Send reports to <report@example.com>.

Conclusion

MX record = Where your email goes.

DMARC = How to protect your email from being used by spammers or hackers.

<figure><img src="/files/UwueamvVU4ETMsyRX1Bc" alt=""><figcaption></figcaption></figure>

## 6. Scrapping

You can use web scrapping to search for email addresses on the internet. For this point, you need to know about programming and HTTP because each site has security such as WAF and other things, so you need to understand details about computers or IT security. Example code

```python
import requests
from bs4 import BeautifulSoup
import re

# URL target
url = "https://example.com"

response = requests.get(url)
soup = BeautifulSoup(response.text, 'html.parser')

text = soup.get_text()

emails = re.findall(r"[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\.[a-zA-Z0-9-.]+", text)

unique_emails = list(set(emails))

print("Email ditemukan:")
for email in unique_emails:
    print(email)
```

## 7. Data broker or OSINT platform

You can use the broker's data as well as the available OSINT tools platform. If you have more money you can subscribe to the OSINT tools available. As for the free ones like GHUNT, Holehe and others you can search for them in my repo

## 8. Check from stealer malware log DB or broker

If you've ever heard the term malware or malicious software, you'll also know what malware and malware families are and the different types. In OSINT, especially for such as CTI (Cyber Threat Intel), it can be used to find out initial access, search data such as email addresses, passwords, cookies and data data that has been collected by malware stealers. From various platforms, there are dumps of malware stealers that you can search for an email address, password or other things depending on the data collected. For this case, it can be used to search for an email address

## 9. Search on scholarly platform

If you are looking for someone's email address or name, especially if they are educated people or scientists, lecturers or students, professionals and others. You can search for the name or email on scholar sites such as google schoolar, research gate, iee, scopus, sinta, publish or persih and etc. This can allow you to search for the email address, who owns the email, how to contact and so on. I often do this when I want to do knowledge research

## 10. Dorking

Google dorking is a popular way to search for data such as email addresses, usernames, websites and more. You can do it manually or use automation tools available, a good dorking is to do a correct dork query such as site name or domain extension (.com, .net) and to do your search, or you can also use regex to do permutation to make it easier.

```
site:edu OR site:ac.id "<degree>. <name>" "@gmail.com"
```

## 11. Recognize the domain extension

If you understand what domain extensions like .com and other things are. You can take advantage of the meaning of domain extensions, for details see below

<https://en.wikipedia.org/wiki/List_of_Internet_top-level_domains>

As for other techniques such as Whois also check the Whois history, you can find out the owner of the domain or about the web, for example commercial sites, communities, tv and others, for example such as @gmail.com, @icloud.com, phone number, address and other things, well this email you can recognise there are many email formats that can be used for instructions or information about email

## 12. Check the Google Service&#x20;

If the email uses a Google service—such as @gmail.com or similar—check for information like exported IDs, GAIA, Google Maps, and other Google services. If you’re skilled in programming, I recommend creating your own script to enumerate Google services; however, if you’re not, you can use platforms like Epios, OSINT Industries, and others. Checking Google services on these platforms can sometimes reveal interesting findings

## 13. Parsing the Information was Collected&#x20;

Parse the data you’ve found—such as aliases, company names, first and last names, commonly used usernames, nicknames, and other information—and map it to various email services like Google or Gmail, or to the domains you’ve identified, for example. For the username “ABC,” you can parse this data to create email addresses—this is similar to a brute-force or email permutator attack—but using the wordlist you have from the clues you’ve found, such as <ABC@gmail.com>, <ABC@tes.com>, <ABC1337@gmail.com>, etc. Doing this usually uncovers details you might have missed if your information hits a dead end

## 14. Pivoting and Data Correlation

Try pivoting if you’ve hit a dead end with your information, try digging deeper into the clues you’ve found—such as a username, frequently used services, interests, or points of interest (POIs)—and the correlations between the data you’ve uncovered. Use techniques like rainbow tables—for instance, performing brute-force attacks and email permutations based on the clues and correlated data you’ve uncovered. If that yields no results, try pivoting to other sources, such as forums they frequently visit, e-commerce sites, or related business information, among others. This depends on your enumeration and reconnaissance efforts; I typically parse through large datasets and pivot to uncover hidden email addresses

\*Soon i will added if there is a new technique OK!


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://jieyab89-osint.gitbook.io/jieyab89-osint-cheat-sheet-wiki-tips/intelligence-base/how-to-email-lookup-in-osint.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.