👋 Welcome to the 86th issue of The OSINT Newsletter. This issue contains OSINT news, community posts, tactics, techniques, and tools to help you become a better investigator. Here’s an overview of what’s in this issue:

• Email OSINT basics

• Reverse Email Lookup

• Pivoting

• Case Study

• Key Takeaways

🪃 If you missed the last newsletter, here’s a link to catch up.

⚡ Contributing to Free OSINT Tools using AI

The OSINT Newsletter - Issue #85

The OSINT Newsletter

·

Nov 6

Read full story

🎙️ If you prefer to listen, here’s a link to the podcast instead.

🎧 Episode 7 -Usernames, Pivots, and AI in OSINT

The OSINT Newsletter

·

Nov 7

Read full story

Let’s get started. ⬇️

In an ideal world, we’d kick off every mission with an email address to plug into our top-of-the-range pro OSINT tools… plus a couple of aliases to test through afterwards.

But unfortunately, emails can be elusive. You won’t always have an email to work with; and even if you do, you might not know how to use it. Worst of all, you could get the wrong address - and waste precious time on worthless leads. That’s why we’re here to give you the low-down on email search methods. In this issue, we’ll cover:

• Reverse vs regular email search (and how to do it)

• Email validation (so you don’t chase dead leads)

• How to pull usernames from emails (and try other providers)

We’ve got email - and by the end of this issue, you’ll get it too. Let’s get started.

Email Lookup vs Reverse Email Lookup

Before we get into how to do it, we need to understand what reverse email search is. On the whole, email OSINT uses two distinct types of search: email lookup, and reverse email lookup. The distinction sounds a little pythonesque (People’s Front of Judea, anyone?). But the actual difference is huge:

• Email Lookup (aka Email Discovery) is a search starting with a name, company, or domain, that discovers an associated email address.

• Reverse Email Lookup, meanwhile, starts with an email address and goes from there. It tells you who owns the address, what they’ve done with it, and which accounts they’ve got connected.

It’s all about direction. Both searches use the same core tools, but the direction of the search is different. Which one you pick depends on which data point you’re starting with: if you have an email address and want to know about it, it’s a reverse email lookup. If you’re starting with data that isn’t an email address - but want to find one - you’ll be working on email lookup, a.k.a. ‘email discovery’.

But which is better?

Email discovery is useful in some cases. Say if you’re a business wanting to find a potential supplier’s contact details, for example. But usually, OSINT investigators will be using reverse email search.

It’s because email addresses are so prevalent, and just yield more data as a starting point. Everybody online has an email, they’re stable (people keep the same address for years), they link to accounts, and they even show up in breach lists - even more so now with integrated Google accounts and third-party logins. So most of the time, you’ll be working in reverse.

Reverse Email Search for Beginners

Now let’s learn how it’s done. Take your target email address and go through these steps in order - they’re fast, legal and extremely productive.

1. Run the email through an OSINT platform: OSINT platforms are built for reverse email lookup, and a whole load of other features besides. Plug your target email into a service like OSINT Industries and see what comes up: it’ll spit back out an aggregated report with breach hits, WHOIS records, linked social accounts, aliases, affiliated domains… basically anything you could need to direct your investigation. This will save you tons of time in manual searching.

2. Google dorking (as a backup): If you don’t have access to an OSINT platform - or if your results aren’t coming up as comprehensive as you’d like - you can also resort to a good old Google dork. Try exact-match (”[emailosint@professional.com]”) and site: operators.

3. Check breaches and leaks: Sometimes reverse lookups can pull breach exposures; if your target has had info leaked, they’re a great way to expand your profile.

Safety Warning: Use aggregated checks rather than poking around raw leaks yourself. Without automatically compliant OSINT tools, you could find yourself on the wrong side of GDPR or CCPA.

Email Validation

Validating an address will stop you wasting time on dead leads and throwaways. Or maybe you just need to know if an email is real. Either way, there are lots of different types to try.

1. Syntax Check (quick): Confirm that the address matches a valid email syntax - the classic “name@domain.com” structure. No typos or broken addresses? You’re good to go.

2. Mail Exchange (MX) Lookup (essential): Verify that the domain exists. A DNS ‘mail exchange’ (MX) record directs email to a mail server; so, if there’s an MX record, the email address is real. Use an online search tool to check it out.

3. SMTP/TCP Handshake (deep): Make extra sure that the domain is working. If MX records exist, an SMTP probe can sometimes show whether the mailbox is accepted. Automated probing can trigger abuse filters, though, so proceed responsibly.

4. Confirmation Email (definitive but dangerous): The only watertight way to confirm an email is real is by sending a verification message. If you receive a response (and not a bounce-back message), it’s legit. However, be careful; only use this step if you’re able to let your target know they’re being investigated.

Safety Warning: Some of these methods are risky. Always validate your address to the minimum standard you need to go forward. The less intrusive, the better.

Manual Methods: Username Extraction, Delimiters and Alternate Providers

Of course, you can also do OSINT work on email addresses in other ways. Often the most valuable pivot is the portion before the @: the username. And you don’t even need fancy tools to extract it. Here’s how.

1. Extract the username stem. Pull out the local part (everything before @), and treat it like a username. Most of the time people will reuse handles, so it could have gathered lots of juicy data already.

2. Run username searches: Use OSINT tools or Google dorks on that username. If the handle appears repeatedly, it’s a strong pivot to other leads.

3. Try alternate providers: If you have emailosint@professional.com, try emailosint@gmail.com, emailosint@yahoo.com, emailosint@hotmail.com… and so on. Combine this with username search tools to see which variations appear online. (Prioritise plausible provider swaps rather than brute forcing huge lists.)

4. Generate plausible username variants: Try delimiter swaps (email.osint, email_o), year digits, leet substitutions, or platform suffixes - like we talked about last issue - based on the person’s likely behaviour.

Example: Email Search in Action

It’s example time. In this entirely legitimate and totally-not-made-up case study, you’re commissioning a portrait of your pet from a mysterious artist: g.bush.art@bushcreative.co However, your animal masterpiece is taking far too long to get painted - and you fear the cryptic creator might be a dirty rotten scammer. Let’s investigate him.

Step One: Reverse Search

You plug the address into an OSINT tool. The report returns an old breach record that lists the username ‘gbush.art’, and a public Strava account showing runs around local public art trails.

Step Two: Validation Check

MX lookup confirms bushcreative.co is live, and SMTP probing shows the address accepts mail (no “user unknown” error). The account likely still exists.

Step 3: Username extraction
You drop the provider from the local part g.bush.art, and search it across social and portfolio platforms. A hit appears on DeviantArt (deviantart.com/gbushart) showing matching branding to bushcreative.co - and lots of incredible artwork.

Step 4: Begrudgingly Wait For Your Pet Portrait

It seems g.bush is real - and despite his sketchy behaviour - actually produces plenty of pet portraits. The wait continues. (Honestly, we wish we were joking.)

Key Takeaways:

Hopefully, by now you’ve got email. This issue has taught you:

• The Basic Steps: How to run a reverse email search

• Reverse, Reverse: The differences between reverse lookup and discovery (it’s direction)

• Criss Cross: How to extract username stems, and pivot across providers

• Take it Back Now, Y’all: How to validate your addresses, and be cautious about it

✅ That’s it for the free version of The OSINT Newsletter. Consider upgrading to a paid subscription to support this publication and independent research.

By upgrading to paid, you’ll get access to the following:

👀 All paid posts in the archive. Go back and see what you’ve missed!

🚀 If you don’t have a paid subscription already, don’t worry. There’s a 7-day free trial. If you like what you’re reading, upgrade your subscription. If you can’t, I totally understand. Be on the lookout for promotions throughout the year.

🚨 The OSINT Newsletter offers a free premium subscription to all members of law enforcement. To upgrade your subscription, please reach out to LEA@osint.news from your official law enforcement email address.