OSINT - Simple tips #5 - Email addresses

Jan 26, 2021 by Alexandre Croix | 7902 views



This blog post will talk about email addresses.

Searching by the real name of your target can be very frustrating if its name is very common. It is easy to get lost in the results. There may a lot of John Doe but only one john.doe080287@outlook.com. Another important point, email addresses ARE usernames on many websites. By knowing an email address you can discover other systems the target may use.

Professional e-mail addresses

Usually, company e-mail follows a pattern. Patterns might be:

  • first_name@company
  • last_first@company
  • Flast@company
  • F.last@compan
  • .......

It is easy to create a script that performs all permutations for a target. Some online services exist for this task. E-mail permutator+ or Mailtester Ninja for example.

As an example, we try to find all possible combinations for John Doe with the domain example.com. The results are shown in the second figure.

Another method to find the pattern used in a specific company is to use some tools like Hunter.io or Email format. These websites allow us to perform research on domain names to find email addresses used somewhere on the Internet.

For example, we perform research on apple.com domain.

Hunter.io has 3,428 addresses for the domain apple.com. It informs us the most common pattern is flast@apple.com. If you create an account, you will be able to see the complete addresses.

For each address, hunter.io shows you where it found the address.

This feature allows an analyst to find the address of his target easily.

Personal e-mail addresses

Of course, it is possible to find a personal address with hunter.io but is not something that occurs very often. A good tool to find information about personal addresses is the Email reputation tool.

This free tool provides a lot of good information about a specific email address.

In the details about an email address we can see:

  • Is it a valid email?
  • Is it blacklisted?
  • Associated social media accounts

On the example, we can see a Reddit, Linkedin, Instagram, Github,... accounts liked to this mail address.

Sometimes, it is necessary to check if an address is valid (or still used) but you are not able to find any information about it. In this case, you can use an Email-verifier. The Mailtester Ninja is a good example. The tool accepts a specific address or a bulk of several addresses and tests all of them to find valid ones.

The above figure shows an example with the domain name cylab.be. The tool is able to find a valid address from all first-name/last-name combinations.


In this blog post, we present a quick OSINT overview of email addresses. It is obviously possible to go deeper and find other information with different tools (leaked database for example), but the goal of these OSINT posts is to provide a small introduction on this very interesting field.

We will continue next weeks with other OSINT subjects!

This blog post is licensed under CC BY-SA 4.0

This website uses cookies. More information about the use of cookies is available in the cookies policy.