Domain Email OSINT Investigation
Almost every website has at least one hidden email address that is directly linked to the website owner.
Almost every website has at least one hidden email address that is directly linked to the website owner. If a company owns the website, there will certainly be several hidden email addresses we can find.
Whether you are investigating who is behind a shady website or you want to identify the people working for the company that owns the website, these emails will consistently help you find them. Furthermore, bad actors or people that want to stay hidden often do not even know that these email addresses exist because they are often created automatically.
Or, in most cases, people who have these email addresses believe that they are perfectly hidden because the addresses are not on the Open Web. Therefore, bad actors usually do not know that investigators, or anyone, can find these email addresses on the Deep Web.
For any website, there are email addresses that have the website domain as the domain of the email address and a username that usually hints at the name of the owner. For example, if we use a fake website domain like “LKglobal.com” for an example, the site would be linked to email addresses like as “[email protected]”.
Why search for email addresses linked to website domains?
For the most part, only the website owner has the ability to make and maintain these emails. This means that anyone using one of the emails that ends in the domain “@LKglobal.com” is directly linked to the website owner or that person actually is the website owner.
Similarly, when the website is for a company, such as “L.K. Global,” these email addresses are the work email addresses for company employees.
The point is that if you are interested in a website, these emails identify people that are directly linked to it. Identifying these people can identify more information about the website or company.
The emails themselves can be a great starting point for investigating these individuals. Once the email addresses are identified, there are several simple steps to researching the user. These email addresses commonly have a username that is the person’s actual name or an abbreviation of it.
With the example of “[email protected],” you can search for online accounts registered to the email address, or search for social media accounts or additional email addresses with the same username. If nothing else, you have already discovered a partial or full name of the person by their username (AlissaPeti) and a possible employer by the domain (LKglobal).
There are three good websites that will search for these emails and search in different places. Each website is free and allows you to search based on the email addresses’ domain in the websites’ “domain search.” It will be helpful or necessary to sign up for free accounts on each of these websites.
Normshield
The first site is Normshield, which will search for email addresses in breach data. Breach data is information that was discovered in online breaches and leaks often from hackers that obtained massive lists of email addresses and other information. Breach websites like normshield.com store the data in databases that are essentially invisible to Google.
This is called a “deep web” database, which means that you can only access the data by going to the specific site, in this case normshield. This is relevant because it means you would not be able to find these email addresses by simply Googling for them.
It is worth nothing that the Deep Web is different from the Dark Web, which is only accessible while you are using The Onion Router, all of the Dark Web websites are invisible to Google and the urls end in “.onion” instead of “.com”. Finally, the “regular” internet that is indexed and visible to a Google search is called the Open Web.
Snov.io
The second site is Snov.io, which uses different source to find email addresses. It is not certain where Snov acquires its data, but it is another deep web database in that you can only acquire this information by going to Snov.
Hunter.io
The final site is Hunter.io. Hunter searches for email addresses that are publicly accessible on the open web now, or were once posted in the past but have since been taken down. However it usually discovers email addresses that you should be able to find in a google search, but somehow they do not appear in my results. Hunter also provides links to the websites where it finds the emails.
If you can't find these emails, why not?
Usually a website will have associated email addresses, but sometimes this is not the case.
If you are having trouble find email addresses for a website you can consider doing an MX Lookup to find out if the website is not setup for email addresses.
Mail Exchange Records
An MX Lookup looks up the mail exchange (MX) record on the website’s server. If the record is not setup on the website’s server, that means that the website is likely not able to support email. That means that either there are no email addresses with the website’s domain, or it means that there are email addresses like that but they are no longer functional.
There are ways for a website to support email without the MX record but they are less common. If there is no MX record you can assume that email is not working on the website and its associated email addresses.
When email messages are sent to the website or to the website’s associated email addresses, the MX record on the server tells the incoming email messages where the mail server for that website is located. Generally, a website owner or admin must set up the MX record, which means that they must be interested in setting up an email address associated with the website, or else they likely would not establish the record.
This is a long way of saying that if the MX record is not established on a website, there are likely no email addresses associated with the website.
How To Do an MX Lookup
One can Google “mx lookup” in order to find websites capable of an MX Lookup, such as MXtoolbox.com. To conduct an mx lookup, search for that section of the website, put the url of your website of interest in the search feature and then click search.
If the search finds any results (which will be the names of servers), that means the record has been set up. If the search finds nothing, then there is no active record and you can assume the website has no associated email address and you can move on to more fruitful ideas.
About The Artwork Used In This Article
You may have noticed that we often like to break the norm where an article's image must be relevant to the article's subject, we find it liberating. In this issue, we push the boundaries a little more with some thought-provoking imagery and by showcasing a specific artist. We like to showcase the work of illustrators, designers, and artists when choosing our images, but have never really showcased the work of a photographer before. We thought it was time to change that. True to our form, we chose a subject matter completely unrelated to infosec.
Welcome to the wonderful world of Spencer Tunick, an artist who has been documenting the live nude figure in public since 1992. Tunick has been arrested five times while attempting to work outdoors, the charges were later dropped but the threat of arrest haunted him constantly.
Determined to create his artwork on the streets, he filed a civil rights lawsuit to protect him and his participants from arrest. In May 2000, the Second US district court sided with Tunick, recognizing that his work was protected by the First Amendment of the US Constitution.
In response to New York city's final appeal to the US Supreme Court, Justice Ruth Bader Ginsburg ruled in favor of Tunick by remanding the case back down, allowing the lower court decision to stand and the artist to freely organize his work on the streets of New York City.
Learn more about Spencer Tunick and his art using the links below: