Let’s face it, we hate email spammers like the next email account-owning person. Even worse when we don’t know who they are and we cant unsubscribe. This article talks about how to track down users by email address, find them, their old accounts, checkout website hidden emails, and get a little revenge. We’ve spoken about our dislike for email spammers previously. Consider this article an extended version of advice.
Every day we receive so many emails, personal, work-related, and random Viagra emails that, quite frankly, is pretty ridiculous. However, there is one aspect we dislike more than random email spammers: email scammers. I’m not talking about random emails from Nigeria (apologies for generalizing) who claim to be the king. I’m talking about the phishing emails almost exactly like the organization they are pretending to be. That’s a new kind of low, and we don’t like that kinda thing.
For those that may find statistics interesting, in 2019, 293.6 billion emails were sent and received daily. In 2020, this grew to 326.2 billion per day, and the projected number for 2021 is an astonishing 364.4. It doesn’t take a genius to see the rapid growth. What is significant is the jump in projected numbers for 2021. No doubt that has something to do with a relatively minor worldwide pandemic, perhaps.
What’s included?
This article will cover 5 steps of finding someone by email address. It covers standard reverse email tools, tracking scammers to their houses, finding hidden emails in websites, Google Dorking, and hacked data dumps. It will also cover some of the lesser-known techniques used by private investigators.
Other Information on finding emails
For those driven online readers, we have discussed other techniques for finding people online with limited information. I summarise them here, in case they take your fancy:
- User Lookup: Search like a pro..without tools
- Hide and Seek : How to find anyone online (and hide)
- How to find profiles onilne? Discover if your partner has a secret dating profile (part 1)
- What can a hacker do with your Email?
- How to Find and Search for Someone on Tinder
As you can see, we have a vast array of learning materials for you. If you continue reading, we’ll hopefully encourage you to track down those scammers and perhaps keep them up at night. Perhaps you’ll find their base of operation from our article!
Find Someone using a Reverse Email Lookup
What is a reverse email lookup? You may be on a journey, trying to find out who owns an email, and come across this term. You will no doubt come across various sites claiming they can do this…if you just hand them some money. Or, instead of money, they may want your life history and you’re mother’s maiden name. Those of you persuaded to do this are likely full of bitterness now. Yes, we know, most of them don’t work.
For those not totally embedded with OSINT communities, you may not have seen this term much. A reverse email lookup tools are applications that track down the identity of who originally registered the email address. It can also uncover information on social networks or dating sites that the email may be associated with.
That’s quite a handy tool, right? with such a capability. I can see internet scammers running to the hills!
1) How to find the email sender’s physical location?
Those eagle-eyed among you will know this technique from a previous article, but it’s so valuable…we mention it again.
If you go to the suspect email in question, you will see a button or tab (usually on the top right) called ‘view source.’ This is what it will look like:
What you want to focus on and look for is within the ‘received section of the header. Just to backtrack a moment for those who may be new to email headers. Email headers are sent with every email, it contains coded information about the sender, recipient, the route the email took, and various authentication codes. Sometimes, email providers will add their own code here, which can misrepresent the information, so just be wary of the reliability. Always double-verify the information through other sources.
As we were saying, you are interested in the IP within the ‘received’ section of the header. On this header, it’s the number 199.7.203.63. This IP number is essentially the computer’s phone number that was used to send the email. Sometimes, the IP is the actual home router where the email was sent. Other times, it can be the ISP server location, and sometimes it can be the email provider server. As we mention, double verify the information, so you don’t make false conclusions.
Track down that IP address…hackers style
Next, we actually want to track down that IP address. Let’s find out what country it’s from, and perhaps what street. You need to use a free online tool called Trace-route. This tool essentially bounces around the internet, tracking down the IP address to the closest location it can get. There are loads of trace-route tools online, but for our example, we use tools.keycdn.com.
All you need to do is copy/paste the IP address into the traceroute and watch the great-looking trace take place. For us, this is what it looks like:
There you have it, we now have the physical location (address) of the email sender. The more advanced technology gets, the closer the networks can pinpoint IP addresses to the physical location. Try sending yourself an email and test out the traceroute…then check it out on Google Maps, and see how close you can get to your current location.
2) Do Email lookup tools work?
We’ve already mentioned you may have had some experience with reverse email lookup sites claiming their various capabilities. However, to save you searching, should you want to try them out, we list the more popular ones here (pre-warn they are all charged websites, bar one):
- Find That Email (https://findthat.email/)
- Finder Expert (https://finder.expert/)
- Snov.io (https://snov.io/)
- voila Norbert (https://www.voilanorbert.com/)
- Email Finder (https://hunter.io/email-finder)
- FindThatLead (https://findthatlead.com/en)
- Email-Prospector Pro (https://www.egrabber.com/emailprospector/)
- FindEmails (https://www.findemails.com/)
- UserSearch (https://www.usersearch.org – Free)
3) How to Dork / Hack Google for emails?
Don’t be alarmed for those unfamiliar with the term Google Dorking. Google hacking is known within the private investigator world as simply entering precise keyword terms into google to retrieve data that has been indexed by the Google bot but would not typically be presented in search listings.
We could write an entire article on Google Hacking, which many have (there is quite a comprehensive article at osintguro.com). However, for the purpose of finding emails, Dorking can sometimes show databases of websites, or leaked databases, which include usernames and email addresses. This is a handy way of finding out where an email has or had been at the time of the database breach. The most extensive resource for finding out what terms can be used in Google can be found at exploit-db.com.
4) Find emails in hacked database dumps
In the united states, they saw 1,244 recorded data breaches in 2018 and had 446.5 million exposed records. The keywords in that statement are recorded data breaches. How many companies hide these exploits under the carpet to save fines and shame?
Every few months, we see major data leaks in the news. These data leaks typically contain usernames, emails, passwords, personal banking details, addresses, and the whole lot sometimes. So, wouldn’t it be useful if you could somehow scan all these data dumps for your target email address and find out what sites they have been on? Well, a very clever chap called Troy Hunt already thought of this and provided exactly that service. Due to the usefulness to our users, we pay to access their API ourselves.
As a result, we include their data as a search on our site. On our main page, click the tab ‘Have I Been Hacked?’. It will then list all the reported data dumps an email address has been included in a hack. There are quite a few dating sites on that list.
5) Website hiding their email address? No problem.
Some websites have a ‘contact us page but do not actually advertise their email address. This can be for several reasons, such as reducing their own email spam, or for security reasons, they do not want their email account to be publicly known. Smaller organizations may not have a business email, and you’ll find when you fill in a ‘contact us form, it goes directly to someone’s personal email address. Want to find that email they are hiding? It’s not too difficult.
All websites are built-in code; at their most basic, it’s HTML. To build a form, HTML is needed. There will be an ‘action=’ code snit bit within the code somewhere. After the ‘=’ symbol, you’ll find the email address to which your contact form is sent. So, to find this, simply right-click on the form in question and select ‘view source.’ You’ll see something like this:
Please don’t be intimated by what you see, if you are unfamiliar with code, it will look like a foreign language.
No coding knowledge is needed.
As coders, we know one of the least common symbols used in coding would be the ‘@’ symbol. So, all you need to do is click ‘CTRL + F’ at the same time. This will bring up a search bar, which you just need to enter the @ symbol and search. If the email address is hidden somewhere within the HTML, you’ll find it.
If you don’t fancy accessing the HTML and searching for the @ symbol, there is a tool that will pull out any hidden emails from within the HTML for you. All you need to do is enter the URL you want to check and click go. Simply this main page and select the ‘Email Extractor’ tab. This check for hidden emails does not have to be on contact forms; it can be on any page where you suspect emails may exist, such as a long chat forum where you don’t have the time to check all the messages.
5) How to use Google to find an email?
You may sigh, back to google again, but not Dorking this time. We’ll tell you how to use Google, the Private Investigator way.
Google accepts highly complex search operators, which literally sifts false positives very efficiently. It also allows you to perform eagle-eye-focused searches for emails. You may have an email address, but you’re not coming up with much by just placing it in google. What you want to do next is just use the first portion of the email address before the @ and try google. However, don’t just enter it on its own. Use the information you have gained from checking data dumps to focus your search on known websites with which your email address has been associated. Here is how you can do that:
- site:companywebsite.com + [name] + email
- site:companywebsite.com + [name] + contact
- site:companywebsite.com + firstname.lastname [at] companyname.com
- site:companywebsite.com + firstnamelastname [at] companyname.com
- site:companywebsite.com + firstname [at] companyname.com
- site:companywebsite.com + firstname_lastname [at] companyname.com
Using combinations like this, you can come across old profiles that were once available on google that are no longer available. Using this method in google as a final evaluation after checking hacked data dumps can quite often prove very fruitful.
6) Checking Social Networks, stalker style
You’ve probably already considered this, but if you haven’t, we think you should check social networks. Check the more common onces such as Facebook, TikTok, etc. But, where should you go if you’re not getting much luck there? The latest statistics put the number of social networks online in the thousands. If you consider all the forums and smaller communities, too, we’re looking at 10s of thousands.
The quick solution? Put that email in a reverse lookup tool like UserSearch. Still not getting much traction? Pull out the first portion of the email address and treat that as a username. For example, if the email address is [email protected], use reverse username lookups for just “I_Like_Pasta.” You’ll be surprised how many people use the first part of their email as a username!
Bonus Step: Email tracking with a new Dorking Service
In 2022, a new Google Dorking service has become available to the public. We thought it was so great, it deserved an update in this article and a mention. DorkSearch is a no-nonsense service that acts as the Google..for Google Dorking. It even looks a little like Google, but with many more features.
DorkSearch provides a huge pre-built database of thousands of Google Dork queries, explaining what they are for. You can choose what category of Dorks you may be interested in, such as ‘Files Containing Juicy Info’ or ‘Files Containing Passwords.’ All you need to do is select the category that interests you, click the dork you want, and their search bar will auto-populate. Then, you can leave it as it is or change it to your specific Dork Search (i.e., focus on a particular email address). Check out the below Gif to see how easy it is:
They also have a Dork Builder feature which is particularly useful when you’re trying to build a unique Dork for various email addresses across multiple sites. You can mix any combination of Dork terms until you explore/discover entirely new Dork search terms! Check this custom Dork, we created a combination of ‘Site’ and ‘+’ to create a Search term that looks only at Linkedin for any page that contains the email term ‘@gmail’. The result? thousands of LinkedIn profiles, who allow their emails to be public (who use Gmail). It’s pretty good fun, exploring and discovering your own dorks! See the Steps on how we did this here:
- Step 1 – Choose your combination to use. Add a specific email address with a term, or keep it generic and look for all emails of the type Gmail / Hotmail / @’companyofinterest’, etc. Click search and see what comes out. No result? Go back, change it a little, and try again!
2) Step 2 – Once you get that magic combination, your results can be rather valuable. Here, we can see several thousand LinkedIn profiles who allow (knowingly or not), their email addresses to be listed on Google (and who use Gmail as their email providers).
Summary
There we have it, 5 methods, quite commonly used by private investigators, to find the person behind the email address. Also, you now know how to find further associated accounts by email address. You also have several reverse email search tools that you could try, should you wish to pay.
We hope this knowledge can be used for good, perhaps track down that nuisance spammer, or track down a scammer who may have exploited someone you know. Have a great story to tell us? Email in.
If you found this article useful, you may be interested in our other writeups on how to find someone by just emails and usernames:
- How to find someone on social networks by username?
- Top 16 open source intelligence tools (OSINT) to find anyone online
- Hide and Seek : How to find anyone online (and hide)
- People Search Engine: Email & Username Lookup Service
- How to choose the right email address?
- How to do a Reverse Email Search?
- OSINT Investigations: Top Tools & Techniques Used by Experts
