Presented at Dallas Hackers Association October and North Texas Cyber Security Group October meetup. These are my stream of consciousness notes about how I gathered info about a company that "lost" my email address. They are notes taken as I did research, but serve as an example of how anyone can use simple OSINT techniques to report a security issue.

Receive UCE (spam) at [email protected]
Only ever used on, satellite tracking company
Email from [email protected]
Google - no results?
Visit - oh, it's some kind of email marketing service...
Usually the from domain is going to be a legit domain, so the above steps means that you have a reasonable certainty of visiting links in the email
Run it in a VM over Tor and 8 proxies if you're paranoid
View headers for email
Look for abuse header

X-Report-Abuse: Please report abuse for this campaign here:

Ah fuck
Try to decipher the stupid link and get
Cool, it's a broken form
Privacy Badger + adblockers + other stuff broke it, that's cool
Next visit the site that lost your email -
Look through contact us list for email address
[Begin your collection of email addresses here]
Nothing - there are some phone numbers though, remember that for later
Google security - no good hits
Try different combinations, with or without site: tag, search for "abuse" "info sec" etc
Find [email protected] referenced on a website, cool, add to email list
Okay, time for Whois
Whois Server:
Go there - HTTP ERROR 504, sigh
Go to, ctrl+f whois -
Hey it works
Registrant Organization: Globalstar - okay, that's the parent company, that's useful
Registrant Email: [email protected] - add this to your email list
Duplicate for any other emails
Tech Name: Matthew Young - hmm, let's look him up
LinkedIn search "matthew young globalstar" - he left the company in 2012, wonderful. Add him to the people list anyways with notation
LinkedIn search "security" and filter current company to GlobalStar - find a few network security people, but no one stands out
Manager of technology, except he's private
Use names later as a backup, if you can contact a netsec guy they can probably point you to the right team
Look up globalstar, find
Whois search, same information
Check contact page - no emails, contact form and phone number
Same deal, Google security
Hmm, blog posts about security of service by a Joseph Crowley in 2012 - probably not useful
LinkedIn search Joseph Crowley, hey he still works there! But he looks like a regulatory manager, probably not the guy we want but add him to your people list
Go to and find privacy policy in footer
Ctrl+F "@", find [email protected] - I've actually had good success with privacy emails, usually it's a privacy officer who does kind of care about it
Into the email list it goes
Click around on website, find media contacts page
Find two PR people and investor relations, add them to the list too (low priority, PR people will just be confused but can get you in the right direction)
Now we have the email format! [email protected]
Now to
Find privacy policy, find email [email protected], add to email list
Find media contacts, one of the PR people from before
If they're an internet or big enough company, check if they have an ASN
Okay, they own AS19458 - Google AS19458 and get a lot of good info - Gives you domains hosted in IP range (great for extra OSINT) as well as technical contact from ARIN WHOIS
Matthew Young is here again, but we've got another person:
Timothy Calamari, phone number, plus email - add him to the person list
Also email [email protected] - add to email list
Check AS on PeeringDB
No results, sometimes you can find the direct NOC phone + email here
Okay, we've got enough to go on, probably
Send a test email to try and get bounces for common addresses we don't already know
[email protected] (except we know that one already so don't) [email protected] [email protected] [email protected]

To: '[email protected]' '[email protected]' '[email protected]' '[email protected]'
Subject: Test email to check for address validity


I would like to report a possible data breach. I am testing with the above email addresses to see if they exist.

I will send the information when I confirm these addresses are valid.

Thank you!

Avoid [email protected] [email protected] [email protected] unless you have absolutely nothing else to go off of
Wait 30 mins - if you get no bounce, they probably didn't return an error or didn't send a bounce back. If they are valid, you'll probably get someone reaching out anyway. If you get a bounce for only some, the others are valid.
Got a bounce for all - great work guys
Order your list of emails and your list of people separately based on who can likely help you, here's what I had

[email protected]
[email protected]
[email protected]
[email protected]
[email protected]

Timothy Calamari
[email protected]
ARIN contact

Joseph Crowley
[email protected] ?
Manager, Advanced Products & Services at Globalstar, Inc.

Erica Kelt
Public Relations / General Media Inquiries
[email protected] 

Samantha de Castro
Public Relations / General Media Inquiries
[email protected] 

Investor Relations / Financial Media
[email protected]

Matthew Young
Manager, Network Systems
Nov 2011 – Oct 2012 

Compose your message

Subject: Possible data breach of customer emails


I used the following email address to sign up for services from SPOT: [email protected]

This email was created specifically for the SPOT website and was entered only on this website. It has never been used anywhere else.

On 8/16/2017 I received an unsolicited commercial email to the [email protected] email. Below were the details:

From: [mailto:[email protected]] 
Sent: Wednesday, August 16, 2017 10:44 AM
To: [email protected]
Subject: Pet Supply – 15% Off

As you can probably guess, I did not sign up for spam email from on the SPOT-specific email. It seems likely that there may have been a data breach with your company or one of your partners.

Could you please get me in touch with your information security team or the appropriate resource so I can report this?

Please use my personal email [email protected] for correspondence regarding this issue.

Thank you,

Start with the top, try to limit contacts to one or two at a time that are related
First email to [email protected] and [email protected]
Second to just [email protected]
Third to [email protected] and [email protected]
Earlier in the process I sent this over the website contact form, but usually that's my least favorite way to do this
Wait for a response back and think about how much of your time you wasted reporting a breach for a company that obviously does not care about security cares about security but is scared to show it, baka~
Remember - if you report it at 11 p.m. on a Friday, don't expect a response until Monday or Tuesday at best
Great, the [email protected] and [email protected] emails bounced, good to know they take those seriously
Go ahead and report to ARIN that their WHOIS is wrong because fuck 'em accurate WHOIS info is important for the internet's anti-abuse mechanisms to work:
Get an email that ARIN are going to ask for new information, won't do anything if they don't though
Further action plan:

  • Email people in your list and try to get in touch
    Example for Tim Calamari:
Hi Tim,

I am a customer of SPOT and I believe there may have been a data breach with your company or one of your partners.

Could you please get me in touch with your information security team or the appropriate resource so I can report this?

If you could provide their email address or give them mine, [email protected], I would appreciate it.

Thank you,

Only email one or two people at a time individually, and wait in between

  • Harvest those LinkedIn contacts from earlier
  • Call the customer care numbers, but expect frustration, just ask who to contact, don't try to explain the issue
  • Is it a big company? Maybe consider sending a tip to Krebs: [email protected]
  • Start cold calling those phone numbers of employees