How Email Finding sites like Email Hunter and Snov.io work

Find out how you can create your own email finding service.

They guess and verify. And they do that by interrogating and psychologically abusing mail servers. Most mail servers are innocent, friendly creatures. Say HELO and they’ll immediately respond with a Hello, unless they’re mad, or dead.

Tell them who you are and they excitedly respond with an OK.

Tell them who you need to email and they’ll tell you if your recipient’s address is correct or not (Beware, sometimes the sneaky ones lie).

Email finding sites exploit this friendliness to guess and verify email addresses.

They need to know the contact’s full name and their company domain. So if we’re looking for Bill Gates in Microsoft, we’ll need a time machine. But if we need his email address at Microsoft, we’ll need to know that his full name is Bill Gates, and his company’s domain is microsoft.com.

We then use this information to generate a list of email addresses to guess at. Most large companies have standard email address patterns. Here are the most common ones:

We need to figure out which of these is the real Bill Gates. Let’s email them all to find out. Not!

That’s exactly what we’re going to do. Email them all. Not!

What I mean is that we’ll pretend to send them all an email — then don’t!

When you’re asking a mail server to send an email for you, the mail server will tell you if the recipient’s email address is correct or not. Once it does, you hang up.

Rude, isn’t it?! Imagine being treated like that. If mail servers find out you’re trying to taking advantage of them, they’ll stop talking to you. And even tell other mail servers not to talk to you. Mail servers are generally tight with their own kind.

That was, in a gist, how you can use TELNET to guess email addresses. TELNET is a way to interact with services — kind of like a phone. You ring someone up; if they’re there, they pickup and respond. If they don’t want to answer, they ignore your call. If they pickup, you can begin communicating with them. Either ask them to do something, or ask for information. But you need to speak the language they understand. Otherwise, they won’t be able to respond. Mail servers understand SMTP (among others), which is a protocol for sending and receiving emails via a mail server. SMTP connections are usually made on port 25. A port is like a phone extension.

Now, we need to connect to Microsoft’s mail server using TELNET and verify possible email addresses of Bill Gates by sending SMTP messages to the mail server. When we connect to the mail sever using TELNET, we will receive a prompt ready to accept our SMTP messages.

Well, let’s actually see this in action. Fire up your Command Prompt (Windows) / Terminal (OS X / Linux). Most operating systems come built-in with TELNET, so you likely won’t need to install it. If the TELNET command doesn’t work, google your way through the installation process for your operating system. TELNET’s syntax is simple.

These examples are all run on the Mac OS X Terminal.

telnet HOST PORT

Our HOST here is our mail server, and the PORT is 25(Remember, mail servers can be connected to on port 25). Let’s run it against microsoft.com.

**telnet microsoft.com 25**Trying 104.43.195.251...

It will stay like this for a while, doing nothing. Hit Ctrl+C to close the connection. Because this is wrong. Mail servers are normally hosted on a subdomain, or another completely different address. A lot of companies don’t even have their own mail servers; they subscribe to mail providers such as GMail, Outlook365, Zoho, Yandex, etc.

So how do we find out Microsoft’s mail server? It’s simple. Microsoft, like every other website makes it known publicly. Each website has their own address-book called the DNS that lists their relevant addresses and ports. Their mail servers are listed in the DNS as well.

To find it, we’ll need to use another command called DIG. Think of this command as an address-book lookup. On Windows, DIG is not installed by default, you can either install it yourself, or use the NSLOOKUP command.

Mail servers are categorized into records called MX records. MX stands for Mail Exchanger. So let’s see how we can use the DIG and NSLOOKUP commands to find Microsoft’s MX records, and hence the mail server.

DIG’s syntax:

dig [CATEGORY] HOST

Our CATEGORY here is MX, while our HOST is microsoft.com. The CATEGORY is optional, you can leave it out and get all listed DNS records. We’ll run it with MX though.

**dig mx microsoft.com**; <<>> DiG 9.9.5–3ubuntu0.15-Ubuntu <<>> mx microsoft.com;; global options: +cmd

;; Got answer:;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23550;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:; EDNS: version: 0, flags:; udp: 4096

;; QUESTION SECTION:;microsoft.com. IN MX

;; ANSWER SECTION:microsoft.com. 60 IN MX 10 microsoft-com.mail.protection.outlook.com.

;; Query time: 13 msec;; SERVER: 172.31.0.2#53(172.31.0.2);; WHEN: Wed Nov 01 14:59:20 UTC 2017;; MSG SIZE rcvd: 96

That’s a lot of weird codes and numbers. Don’t worry, we’re just interested in the ANSWER SECTION for now. That’s where the mail server is listed.

Most websites normally have more than one mail server, just in case one goes down or is inaccessible for some reason. So don’t be surprised to find multiple entries in there. You can just pick the first one on the list for our purpose.

We can add some options to the DIG command to get just the answer section, and no other mumbo jumbo.

**dig +noall +answer mx microsoft.com**microsoft.com. 60 IN MX 10 microsoft-com.mail.protection.outlook.com.

Now, we just have our answer. But it doesn’t look like a valid address. That’s because it provides more than just our address. Only the last part microsoft-com.mail.protection.outlook.com is our mail server address (trailing dot not included).

If you don’t have DIG, you can use the NSLOOKUP command instead:

**nslookup -q=mx microsoft.com**Server: 172.31.0.2Address: 172.31.0.2#53

Non-authoritative answer:microsoft.com mail exchanger = 10 microsoft-com.mail.protection.outlook.com.

Authoritative answers can be found from:

Again, only the last part of the answer without the trailing dot is our mail server — microsoft-com.mail.protection.outlook.com

Alright, so we have our target mail server now. Let’s test out that TELNET command we failed at earlier. Only this time, we use the mail server as HOST instead of the website address.

**telnet microsoft-com.mail.protection.outlook.com 25**Trying 23.103.156.42…Connected to microsoft-com.mail.protection.outlook.com.Escape character is ‘^]’.220 BL2NAM06FT016.mail.protection.outlook.com Microsoft ESMTP MAIL Service ready at Wed, 1 Nov 2017 15:13:16 +0000

It works!

We see… some gibberish. But we can see that it s connected and it’s waiting for us to write something. The mail server picked up our phone. It is ready to talk to us. But what do we say? Remember… mail servers understand the SMTP language. Let’s greet them in SMTP. Say HELO.

HELO250 BL2NAM06FT016.mail.protection.outlook.com Hello [54.149.XXX.XXX]

It says Hello. It likes us… so far.

Time to get mean! Let’s pretend to send an email via the mail server. See if it can tell us Bill Gates’ email address. First, we need to give it our own email address. Which is what will be the from email address if we actually want to go through sending the email. To specify the from email address, you need to use this syntax:

MAIL FROM: EMAIL@DOMAIN

Mail servers don’t read the news. They don’t know that Steve Jobs has passed away. So we can just be Steve Jobs right now.

MAIL FROM: <stevejobs@apple.com**>**250 2.1.0 Sender OK

Sender OK. See, it doesn’t know. Now, we can finally begin guessing…

Here’s the syntax for describing the recipient address:

RCPT TO: EMAIL@DOMAIN

We’ll test out a variety of addresses, based on the list of most common email patterns (listed above).

RCPT TO: <billgates@microsoft.com**>**550 5.4.1 [billgates@microsoft.com]: Recipient address rejected: Access denied [BL2NAM06FT016.Eop-nam06.prod.protection.outlook.com]

Recipient address rejected. Looks like that’s not Bill Gates’ email address. Let’s try a few more…

RCPT TO: <bill.gates@microsoft.com**>550 5.4.1 [bill.gates@microsoft.com]: Recipient address rejected: Access denied [DM3NAM06FT009.Eop-nam06.prod.protection.outlook.com]RCPT TO: <bill_gates@microsoft.com>550 5.4.1 [bill_gates@microsoft.com]: Recipient address rejected: Access denied [DM3NAM06FT009.Eop-nam06.prod.protection.outlook.com]RCPT TO: <bill-gates@microsoft.com>550 5.4.1 [bill-gates@microsoft.com]: Recipient address rejected: Access denied [DM3NAM06FT009.Eop-nam06.prod.protection.outlook.com]RCPT TO: <bill-gates@microsoft.com>550 5.4.1 [bill-gates@microsoft.com]: Recipient address rejected: Access denied [DM3NAM06FT009.Eop-nam06.prod.protection.outlook.com]RCPT TO: <billg@microsoft.com>**250 2.1.5 Recipient OK

It’s a Bingo! We found Bill Gates’ email address at Microsoft: billg@microsoft.com.

You can now find out anyone’s email address just as well as major email finding services. But the process, as you’ve seen, is a little involved. Lots of typing and lots of waiting in-between.

So stay tuned for the the next post where I’ll explain how you can automate the process completely (including access to the complete code).

Then in the post after that I’ll describe what it takes to scale the service to handle thousands of email guesses and what kind of challenges you’ll face along the way.

Disclaimer: The opinions expressed in this article are my own. I am not paid by anyone to write this article. I am in no way associated with, or in competition with, any of the services, trademarks or companies mentioned in the article — to the best of my knowledge.