This guide is heavily based on this post as seen on Digg, although I improved it a bit.

As explained in the link above, you may set up a fake e-mail message appealing to anyone who (for whatever reasons, intended or not) has access to your e-mail account, and this message should trigger a warning back to you. I didn’t like the method used in the post for some reasons. With the method used in the post, the “hacker”, or whoever accessing your e-mail account, should open an HTML file attached to your fake e-mail message, and the actual trigger is stored inside this HTML file. I don’t know about you, but i would double-check in a Notepad this HTML file before opening it. And storing, let’s say, a password list (or whatever trick we’re using to lure the attacker to your fake e-mail) in an HTML file attached to a message is… quite strange and unusual.

Here’s what i’ve done to enhance this trick.

• Like the original trick, I store a fake e-mail message on my own account with something appealing to the attacker in the subject line,  like: a password list, a CC number, whatever.
• The actual e-mail message, which is “rich-text formatted” (actually a HTML formatted e-mail message),  contains an external image, displaying what it seems to be a password list. Smash on your keyboard to fake some passwords
• That external image is hosted on a PHP web host, and we’re not actually calling this image directly (like example.com/passwords.jpg), but we’re calling a PHP script which outputs the image. It also reports back to you that your password is compromised.

Here’s the fun part. The PHP file should be hosted somewhere on the net, but I prefer to host it on a separate directory and named index.php, so we can just point our browser to http://www.example.com/passlist/ and this script is run. Along this PHP file, make a fake password list in an image file in GIMP or Photoshop. I used a white background with black text formatted as Tahoma 12 pixels high, which is rather close to what webmail services use as a font formatting.

Here’s the PHP code in action:

header('Content-Type: image/jpg');

$open = fopen("passlist.jpg", 'r');

fpassthru($open);close($open);

@ini_set("sendmail_from","Bilange's hacker alert <alert@bilange.net>");

@mail("__MAIL ADDRESS__","EMAIL HACKING ALERT!","Referrer: ".$_SERVER['HTTP_REFERER']."\nAgent: ".$_SERVER['HTTP_USER_AGENT']."\nAddr: ".$_SERVER['REMOTE_ADDR']);

The first four lines actually outputs an image file which is read from passlist.jpg, and the last two lines actually reports back to whatever address you want it to report. In this example, you would replace __MAIL ADDRESS__ to any e-mail address you want to recieve your warning.

But wait… isn’t reporting back in an e-mail idiot? We’re ACTUALLY trying to protect our e-mail account!

Since most of us has one or more than one cell phone with SMS enabled, you can send your warning on a cell phone. You can send your SMS by sending a short message to a specific e-mail address. Bell Mobility users would send an SMS to (phone with area code here)@txt.bellmobility.ca, and Telus users would send it to (phone with area code here)@mms.telusmobility.com.

I hope this helps!