OSINT – By Email

Trace Labs is a place where OSINT enthusiasts can participate in real operations but its also a place to learn. The following post is a training document for instances when all you have is someone’s email. Here are some tools you can use (in no particular order). Try them all and see which ones you prefer.


Allows you do browse an entire domain. Useful for finding lots of emails for a large corporate target.


An email verification service. Tells you if the email is valid. You may need to login with a valid email in order to utilize this service. Last time we checked, they didn’t accept protonmail.


Another email checker. Company seems a bit dodgy.


Another email checker.


Another email checker.


Yup. Google does really well and is a go to option.


As much as I hate to admit it, Bing bring a different and sometimes better search result for email searches than Google. Try both.


While we may not care if the target’s info was previously breached, we do care about the services that this will show they use (or at least used).


Same as above. Gives us a list of services they registered with that email address.


Pipl sometimes delivers a gem and is worth trying out. You can use more than email as well.


Similar to Pipl. You can search by email, name or even IP.


Similar to Pipl.


Similar to Pipl. Nicer interface.


A whois by email address.


A fantastic little tool that allows you to see all the DNS trails that were registered to a particular email address. Keep in mind that this is historical data and so while correct, it is not current.


Everyone loves gravitars right? Well if your target already registered their email with this site, you can get additional information.


What did we miss?

Leave a Reply