Even in the age of instant messaging apps, email still serves as an ‘official’ medium to communicate between two parties. It’s ironic that electronic mail has not lost its charm till date within the barrage of privacy respecting encrypted chat messengers.

Instead, email services nowadays are adapting to the new age norm of privacy and making their products more privacy hardened with encrypted mailboxes or hard to locate data centers and so on. But the core technology behind email hasn’t changed since its inception.

First Steps

It has become a tradition for any experienced or rookie investigators to start their investigation just by ‘Googling’ stuff out. Finding information about emails is no different, an email that has to be investigated could be played around in a variety of forms.

Raw Email

When a plain email is put in the search bar, the results are limited to the fact that how often that email has been used in public and how open it is to the public. To simplify, if the email is used on multiple blogs, academic websites, personal websites, social media, paste bins, forums etc,. There is a strong chance of retrieving the information about the keywords in the email.

1

From the above image, it’s evident that Google search engine retrieved the information with some keywords involved within the email. It recognized some keywords like ‘john’, ‘snow’, and ‘gmail’. But it didn’t point towards the exact email; why? Because the exact email wasn’t open for viewing in the wild. Interestingly it also tried to match the keywords from different social media such as Twitter and Pininterest. Endless scrolling and jumping to each page might lead to the exact email or might not, and that’s the limitation for the investigators and a slight win for privacy settings.

Quotes

Adding quotes around the email tells the search engine to look for the exact keywords that’s specified within the quotes.

2

Surprisingly, with quotes the email led to one of the primary sources of information.

Bottom line, using quotes around an email tries to retrieve specific information if it exists on the internet.

That’s it? Is it that easy to retrieve information on anyone just by Googling the email address? Well, the answer is no.

3

4

As aforementioned, Google or any search engines could retrieve the information only if they are present on the internet. It depends on a lot of factors such as one’s privacy settings, social engagement, relevance, repeated usage of the same email, or being public and so on.

Dorking

Google dorking is an advanced way of searching results on the internet. Other searching engines such as DuckDuckGo, Bing, Startpage, Brave Search and so on could also be used for dorking. Basically, dorking lets the user to concise the search results and provide the accurate result as possible. And dorking is not only limited to search engines, prominent social media platforms like Twitter, Facebook, TikTok, Vkontakte etc,. have their own set of dorks. Yet again, it depends on the information that’s already available and privacy measures of the user. An article about advanced search operators/dorks could be found here.

Potential Places To Look For Email

• Public Files – intext:”[email protected]” filetype:pdf OR filetype:docx OR filetype:xls • Leaked databases • Online forums • Academic websites • Unfortunately, sometimes on medical websites • Government websites • Job search websites • Automated tools • Social media • Chat apps

Tools

There are several tools on the internet that promise to provide much more information about an email address than just Googling. A caveat here is, those tools are also scraping the data from the internet probably with better scraping methods and algorithms. These tools also change every now and then, due to the changes made from the product/service provider’s end (email) or changes made in their own code(tools). And it’s not new to the OSINT community if some service goes down or becomes redundant, there’ll always be new tools which could be more or less efficient and that depends on various factors that are discussed in the previous paragraphs.

Here are some tools to find information on emails.

  1. Epieos
  2. Hunter
  3. SpiderFoot
  4. Maltego
  5. Anymailfinder
  6. IntelligenceX

Miscellaneous Techniques

Call it stalking or curiosity to know, some platforms such as Skype, lets their users to search usernames or emails of other users. Even in Gmail, some recommendations appear while one types an email for the first time. Some apps also provide information about other users when one’s contacts are synced. There could be many other apps out there which provide a functionality to search for emails or usernames. Another trick could be by changing language in inspect element, or changing geographical location using proxies or VPNs to fetch country specific results. Last but not the least, using the power of other search engines and web scrapers along with Google.

Final Words

Email investigation through publicly available information is tricky and prone to many false positives. This is because of the fact that email service providers are becoming more closed to protect their users’ privacy. And also, most of the search engines out there are not open source, it means no one knows how their algorithms work or how exactly they query information time to time and how a particular information is queried. This is a challenge for many SEO experts and email marketers to update themselves and understand how search engines function and change overtime. There are dorks, but again their use cases are limited. But the use of emails seems to not stop anytime soon.