MailAccess
Self-hostable OSINT platform for investigating email addresses. Fan out across breach databases, social networks, DNS records, and the open web — get back a unified exposure score and structured findings you can export or pipe into Maltego.
Built for security researchers, OSINT analysts, and penetration testers operating under authorization. Read DISCLAIMER.md before use.
Install
CLI only (no Docker)
pip install mailaccess
mailaccess investigate [email protected]
# Server starts automatically, runs investigation,
# stops when done.
# Option B: keep server running
mailaccess serve # in one terminal
mailaccess investigate [email protected] # in another
# Option C: full stack with Web UI
git clone https://github.com/YOUR_USERNAME/mailaccess
docker compose up -d
Quick Start
mailaccess investigate [email protected]
mailaccess investigate [email protected] -o report.pdf
mailaccess investigate [email protected] --format jsonl
mailaccess investigate - # read email from stdin
mailaccess serve # start backend server on :8000
mailaccess keys list
mailaccess keys set HIBP_API_KEY your-key-here
mailaccess modules
mailaccess doctor # coming soon
What It Does
- Identity graph — cross-platform correlation of accounts, usernames, and signals from each investigation
- Phone number recovery — pipeline to surface and validate numbers tied to the target
- Telegram / WhatsApp hints — lightweight messaging-app footprint checks alongside other modules
- YAML-driven platform system — social-style checks defined in
backend/platforms/; community extensible without new Python for each site - Concurrent module execution — all modules run in parallel, results stream as they arrive
- WebSocket streaming — partial results arrive in real time without polling
- REST API + web UI + CLI — use whatever interface fits your workflow
- Plugin module system — drop a
.pyfile inbackend/modules/and it auto-registers; no wiring required - 6 export formats: JSON, CSV, PDF, Markdown, STIX 2.1, Maltego XML
- Maltego local transform server — run investigations directly from the Maltego desktop app
- Webhook notifications — Slack, Discord, or any HTTP endpoint
- Exposure score (0–100) with risk label: low / medium / high / critical
- SQLite by default; PostgreSQL optional via Docker Compose profile
Modules
| Module | Coverage | Key Required | Opt-in |
|---|---|---|---|
| gravatar | Profile hash lookup | No | No |
| hibp | Breach check | Yes | No |
| emailrep | Reputation + blacklist | No | No |
| hudson_rock | Infostealer logs (free) | No | No |
| google_dork | 5 automated dorks | Yes (SerpAPI) | No |
| domain_intel | Domain + Shodan | No (Shodan optional) | No |
| dns_lookup | MX/SPF/DMARC/DKIM/A/NS extraction | No | No |
| whois_lookup | Domain WHOIS, privacy detection | No | No |
| social | 13 platforms via YAML | No | No |
| social_links | Username extraction, feeds pivot | No | No |
| account_discovery | Holehe 120+ platforms | No | Yes |
| user_scanner | 205+ platform vectors | No | Yes |
| whatsmyname | 700+ platforms | No | Yes |
| breachdirectory | 2nd breach source | Yes | No |
| username_pivot | WMN via recovered usernames | No | Yes |
| permutation_discovery | 60 email variants | No | Yes |
| phone_intel | Phone validation + WA/TG hints | No | No |
| messaging_hints | Telegram/WhatsApp username check | No | No |
| ghunt | Gmail deep intel | No (setup required) | Yes |
| identity_graph | Cross-platform cluster analysis | No | No (automatic) |
800+ platforms checked when all opt-in modules enabled. YAML platform system — add new platforms via PR, no Python required.
Identity Graph
Every investigation generates a cross-platform identity graph linking accounts by shared usernames, photos, display names, and breach data. View at:
/investigation/:id/graph
Export as D3-compatible JSON via GET /api/report/{id}/graph or fetch clusters with confidence scores via GET /api/report/{id}/clusters.
Findings are automatically grouped into identity clusters with confidence scoring. Use --show-collisions to expand low-confidence matches in CLI output.
Pipeline
MailAccess is pipeline-friendly: read target emails from stdin, stream JSONL output, and branch on exit codes in CI/CD scripts.
# Batch from file
cat emails.txt | mailaccess investigate -
# Stream JSONL
mailaccess investigate [email protected] --format jsonl | jq .
# Filter critical findings
mailaccess investigate [email protected] --format jsonl | jq 'select(.severity=="critical")'
Exit codes: 0 clean · 1 findings · 2 breaches · 3 error
See docs/integrations.md for GitHub Actions examples.
Adding a Platform
No Python required. Drop a YAML file in backend/platforms/:
cp backend/platforms/TEMPLATE.yaml backend/platforms/mysite.yaml
Edit fields, submit PR.
See CONTRIBUTING.md for full guide.
Export Formats
| Format | ?format= value |
Use case |
|---|---|---|
| JSON | json |
Programmatic use, archiving |
| CSV | csv |
Spreadsheet analysis |
pdf |
Human-readable reports | |
| Markdown | markdown |
Wikis, issue trackers |
| STIX 2.1 | stix |
Threat intelligence platforms |
| Maltego XML | maltego |
Maltego graph import |
Integrations
| Integration | How |
|---|---|
| Maltego | Local transform server at POST /maltego/email_investigate (no API key required) |
| Slack | Set SLACK_WEBHOOK_URL in .env |
| Discord | Set DISCORD_WEBHOOK_URL in .env |
| Generic webhook | INTEGRATION_WEBHOOK_URL + optional INTEGRATION_WEBHOOK_SECRET (HMAC) |
Self-Hosting
cp .env.example .env # all API keys are optional
docker compose up # backend :8000 · frontend :3000
Open http://localhost:3000 in your browser. Full setup guide: docs/self-hosting.md.
CLI Reference
| Command | Description |
|---|---|
mailaccess investigate <email> |
Run a full investigation against an email address |
mailaccess investigate - |
Read target email from stdin |
mailaccess serve |
Start the backend server on :8000 |
mailaccess history |
List past investigations |
mailaccess keys list |
Show all configured API keys |
mailaccess keys set <KEY> <value> |
Set an API key |
mailaccess keys unset <KEY> |
Remove an API key |
mailaccess config set-url <url> |
Point the CLI at a MailAccess instance |
mailaccess modules |
List all available modules |
mailaccess commands |
List all CLI commands |
mailaccess doctor |
Check configuration and module health (coming soon) |
The --output / -o flag on investigate saves the report to a file. The extension determines the format: .json, .csv, .pdf, .md, .stix.json, .maltego.csv.
API Keys
| Key | Module | Where to get it | Required? |
|---|---|---|---|
HIBP_API_KEY |
hibp |
https://haveibeenpwned.com/API/Key | Yes (module skips without it) |
SERPAPI_KEY |
google_dork |
https://serpapi.com | Yes (module skips without it) |
SHODAN_API_KEY |
domain_intel |
https://account.shodan.io | No |
EMAILREP_API_KEY |
emailrep |
https://emailrep.io | No |
HUNTER_IO_API_KEY |
hunter_io |
https://hunter.io | No |
SLACK_WEBHOOK_URL |
Webhooks | https://api.slack.com/messaging/webhooks | No |
DISCORD_WEBHOOK_URL |
Webhooks | Discord server settings | No |
Troubleshooting
Links
| Self-hosting guide | Docker Compose, .env reference, PostgreSQL, proxy/Tor, Maltego setup |
| Module reference | All modules, findings schema, adding new modules |
| API reference | REST endpoints, WebSocket events, authentication |
| Export formats | Supported formats, MIME types, filename conventions |
| Integrations | Maltego, Slack, Discord, generic webhooks |
| Contributing | Adding modules, adding exporters, code style, PR checklist |
| PyPI | pip install mailaccess |
| GitHub | Source code, issues, releases |
Comments