Skip to content
← writing

Read the recon list as a defense checklist

security
osint
phishing
privacy

A list of "email and social media recon tools" went around recently, framed as ammo for phishing campaigns. I'd rather read it the other way. Every tool on that list is something an attacker points at you before they ever send a message, which makes it a map of your own exposure. So point it at yourself first.

The uncomfortable update is that this used to be slow. Profiling one target by hand took an analyst the better part of a week. Now a model scrapes LinkedIn, old breach dumps, and public posts and assembles that dossier in minutes, which is why targeted phishing is spiking. The recon is automated and cheap. Your defense has to be deliberate.

What the recon actually finds

The tools cluster into four stages, and each one answers a question about you.

Is the address findable? Harvesters like Hunter.io map every address on a domain from public pages, so "nobody knows this inbox" is rarely true for a work account.

Has it leaked? Breach lookups (the defensive one being Have I Been Pwned) check your address against known dumps. A hit often means a password is floating around too, which is why reuse is the real risk, not the leak itself.

Does it link to the rest of your life? Username-tracing tools walk one handle across hundreds of sites. Reuse the same name on GitHub, Reddit, and a gaming forum and you've stitched those identities together for free.

What enriches the picture? Social profiles, a phone number, an employer, a job title. Individually harmless. Together they're the raw material for a message that knows your boss's name and the project you shipped last week. That's the blueprint a spear-phish is built from.

The list, as a self-audit menu

Here's the original list in full, read the useful way: point the ones that take an email or a handle at your own accounts and domains and see what comes back. That's the whole exercise.

  • Hunter.io — finds addresses by domain. See who at your org is harvestable.
  • Emailrep.io — reputation and profile signal for a single address.
  • Sn0int — a semi-automated OSINT framework that ties findings together.
  • Social-Analyzer — profile analysis across social networks.
  • Sherlock — hunts a username across platforms.
  • Maigret — the same idea at 500+ sites, with extracted details.
  • Holehe — which sites an address is registered on, without alerting them.
  • WhatBreach — breaches tied to an address.
  • GHunt — what a Google account quietly exposes.
  • IntelX — search across leaked databases and archives.
  • Skymem — addresses surfaced in public dumps and lists.
  • Have I Been Pwned — the breach check to actually run on yourself first.
  • Buster — aggregates an address into linked profiles.
  • EmailHippo — validity and domain checks.
  • EmailValidator — syntax, domain, and deliverability.
  • LeakCheck.io — leaked data indexed by email.
  • MyPastEmails — services historically tied to an address.
  • PhoneInfoga — recon on phone numbers attached to an identity.

Only run these against accounts, domains, and numbers you own or are authorized to test. Same tools, opposite intent.

Run it on yourself

None of this is exotic. The same recon is a clean self-audit, and most of the fixes are boring in the best way. Tick these off:

Lock-down checklist

0 / 9 done

The few that matter most

If you only do three things, do these.

Kill password reuse. A breached address is a nuisance; a breached and reused password is an account takeover. Unique passwords in a manager turn every leak into a shrug.

Make phishing-resistant the default for anything that matters. Passkeys and hardware keys (FIDO2/WebAuthn) don't hand anything phishable to a fake page. SMS codes do. The current consensus is to put FIDO2 on high-risk accounts and stop relying on people spotting a bad link.

If you own a domain, close the spoofing door. SPF, DKIM, and DMARC at p=reject stop attackers sending mail as you. It pairs naturally with the other edge hardening I've written about, like blocking scanners and disposable signups.

The mindset shift is the cheapest upgrade of all: assume a stranger can already assemble a convincing, personalized message about your life. Once you expect the polished, on-topic email to be the dangerous one, verifying out-of-band stops feeling paranoid and starts feeling normal.

Sources: Adaptive Security, Optrics, Keepnet.

Ask your agent to implement this

Read the full writeup at https://seangeng.com/writing/what-your-email-reveals.md and implement it in my project.

It covers: Read the recon list as a defense checklist — A list of email and social OSINT tools made the rounds framed for phishing. Flip it: the same tools are what an attacker runs before a targeted email, so run them on yourself first. What your address leaks, and how to shut it down.

Requirements:
- Follow the technique/approach exactly as described in the writeup.
- Adapt names, colors, and styling to my project's existing conventions.
- If it's a component, make it reusable with sensible props and TypeScript types.
- Keep it accessible: semantic HTML, keyboard support, and respect prefers-reduced-motion.
- When done, tell me which files you created or changed and how to use it.

Paste into Claude Code, Codex, Cursor, or any agent. view raw .md