Nefarious or not, there is no contral control and management of email addresses (as opposed to the way the phone system was built – you know, an evil monopoly). Fundamentally, anyone who owns a domain (the IP address, but also a domain name) can issue email addresses subordinate to it. So, they could be getting email from pretty much anywhere.
There also is no standard way to manage email addresses within a domain. You don't have to provide a "real name" or validation of identity. So a provider may or may not have reverse lookup and it may or may not include a real name.
So, how nefarious people do things …
– Brute force is the main method. Try variants of the name (first.last, flast, lastfm, etc.) at popular email providers (gmail, verizon, at&T, yahoo, etc.). This has a low rate of success and will be even worse if you are looking for a specific person. It's only effectuve for people who don't care whom they are looking for and because it is easy and cheap to do thousands of thousands of attempts.
– Cyber Hunting. If you know where they would frequent online or in real life, try those websites and do a website specfic search for their name or nickname. That might lead you to an email. So, f'r'ex, if you know where they go to church, searching "Site:XYZChurch.org First Last" might give you pages with them mentioned, one of which may have their email.
– Set up an Internet node and glean for your person. This means run a server on the Internet and scan all the traffic for mention of the person you are looking for. This is completely ridiculous for you to do. I only mention it because it is possible and it is legal.
– All the other methods I know are illegal, and I won't walk someone through them here.
I recommend just calling them. If you're reusing them as a reference, you should probably call them first and talk about it anyway. If you just want to get back in contact with them, you are probably still better calling them and talking about it before you email them. For a number of reasons.
