Pinterest Stumbleupon Whatsapp

email-trap.jpg In the interests of full disclosure, I didn’t come up with this idea. I read about it in a computer magazine a year or two back but of course when I wanted to refer to it for this article, I couldn’t find it! But someone on Digg eventually managed to find it so here is the original article if you want to see it.

As email providers give away more and more storage space, more and more personal information is being stored in those accounts. People are increasingly using their email accounts for more than just email – it has become their online document storage area with backup documents such as passwords, bank account numbers, account usernames, scans of correspondence and much more. Even if you don’t use your email for this purpose, you may still be inadvertantly revealing personal information in general conversation emails to family and close friends. A 6GB Gmail account or an unlimited space Yahoo account is potentially an information bonanza source for identity thieves who manage to figure out your email password and then go snooping.

But if someone HAS cracked your email password, it may not be apparent to you. A snooper can easily read an email then mark it as unread again. So the best thing to do would be to set up an “electronic tripwire” so if someone breaks into your account, you’ll know about it.

Here’s how to do it :

    1. Sign up for a website hit counter at You can leave a fake name and whatever URL you want (I used for mine).

    2. You will then receive a welcome email from OneStat with a text attachment called OneStatScript.txt. Download this attachment to your computer and then delete the email (you don’t want any email snoopers finding it later). But before deleting the email, write down your OneStat account number as you will need it later.

    3. Change the name of the text document to something that will make the email snooper salivate such as passwordlist. Also change the file format from a text document to a website page. So make it something like passwordlist.htm .

    4. Email this newly-renamed file as an attachment to the email account you want to monitor. Make sure the email subject title also lures the snooper in (maybe something like List of Passwords. You get the idea :).

    5. The trap is now set. Basically if someone opens the email and opens the attachment, OneStat will record a hit. If you then log into your OneStat account say once a day, you will see how many hits you have had to your attachment.


The OneStat account page then gives you details on each “visitor” including the date and time they accessed the web document and more importantly their location and IP address!



So how does having this information help you? Well first of all, it will alert you to change your password to something stronger. Secondly, if you see the snooper’s location and you only know one or two people there then it narrows down your list of potential suspects.

By the way, I recommended signing up for One Stat because the author of the original idea mentioned them. But if you know of any other hit counter services that send text documents to your email address, then please mention them in the comments. I don’t have any financial advantage recommending One Stat so I am perfectly happy to consider alternative companies.

  1. Encryption Software
    October 27, 2009 at 11:28 am

    Like most people, my email is usually petty, personal stuff. For example, I would not be the least bit hurt if someone read the latest email I sent to my brother, which included a list of potential skis to ride on this winter. Most email is irrelevant and petty interchange. However, I would not be so foolish as to send any valuable passwords and usernames over an open connection, even one as seemingly popular as Google. I would definitely encrypt the contents first so only the end user with the right encryption key could open it (and I would tell them the encryption key on the phone or some other secure line; NOT in the email).

  2. kunal
    August 21, 2009 at 7:58 am

    Hey that was too good
    But from the ip address how can we get the password of that person??????
    Plz help...

  3. margaret
    June 22, 2009 at 12:38 pm

    lol, i love it , thanks i really needed this info. diffinitly trying it..

  4. Bakz
    November 19, 2008 at 4:11 am

    Simple app for local encryption of your emails and IM:

    Works with all email clients. Free.

  5. Nan
    October 20, 2008 at 5:56 am

    I meant to say" Is it illegal to send this email to someone to find out what their IP address is to compare if that’s the person that has been in your email account?

  6. Nan
    October 20, 2008 at 5:46 am

    Is it illegal to send this email to someone to find out what their IP address is to compare if that's the person that has been in your email account?

  7. Dave
    September 14, 2008 at 1:22 pm

    This is an interesting way, but if people are consistent enough to check that everyday, they might as well use that energy on keeping their password safe in the first place.

  8. Justin
    July 15, 2008 at 11:05 pm

    It's amazing how much people depend on their email each and everyday. I would recommend keep multiple emails, and split up your important details/communications. Keep a strong password- and remember to never give your password out !! This will prevent script kiddies, and not-so knowledgeable hackers obtain your email password.


  9. Thierry
    July 5, 2008 at 10:50 pm

    Dear Mark,

    Nice review on Onestat function.

    but does it work if we ourselves click in rather than the hackers, just to test it?

    I've try according to what you've suggested; step by step.

    & i've try click it on my own, & found out that one stat didnt make any hit records,

    or am i missing something here?

  10. Hami
    June 30, 2008 at 6:09 pm

    haha thats very true... why such big compnies dont have a time stamp... that defnitly wil help!

  11. Davi
    May 11, 2008 at 5:27 pm

    I dont normally keep important stuff in my email. email hacking seems to be a common thing now a days. you see million of sites being flooded on forums they claim to get a password for 100 usd..i wonder if it is true...Hami i never used to believe in email hacking until it happened to my girl friend.

    A guy hacked into her account and sent people nasty emails.

    Its sad...

  12. Hami
    May 11, 2008 at 11:58 am

    I dont believe on email hacking...! unless you give your password to somebody...

  13. email marketing elite
    April 22, 2008 at 1:08 pm

    February 14th, 2006 at 9: 53 am Feedblitz seemed to be the best I could find (feedburner integration is a bonus). With the paid version I don’ t get the heavy orange branding Mike speaks of, but I’ ve always wanted more in relation to the frequency. I want a console that allows me to do scheduling. More importantly, I want to check off which articles to include in the mailout. Email fatigue sets in quickly and blasting off every single post is a sure fire way to keep your churn rate high. The other question...

  14. Duvar Kagidi
    March 2, 2008 at 9:10 am

    est il availible en Francais, my English not good

  15. Florian Wiessner
    February 21, 2008 at 12:45 pm

    this will not work unless the guy reading your mail is a dumb-ass....

    real identity thiefs don't use ms-crapware and won't let you get a hint from where they logged in, and if they do, they are using proxies or anonymizers...

    kind regards,


  16. perx
    February 20, 2008 at 4:31 pm

    hello, nice blog u got here......really interesting softwares and stuff
    could you tell me the code of those big digg and twit,etc buttons at the end of ur every post....i mean its really cool....please can u tell me...pretty please....

    • Mark O'Neill
      February 20, 2008 at 6:50 pm

      The Twitter one is from . The Digg one is from the Digg tools page - . I'm not sure about the others. I will ask Aibek and get back to you.

  17. Thomas Paine
    February 19, 2008 at 10:31 pm

    If your going to use any e-mail program... encrypt everything.
    Especially if your going to use a "free" e-mail such as google's gmail.
    These people think they can snoop your mail and create a database on even the mundane contents.

    They do this for marketing profits and to try to "make you a better webuser/consumer". Their aim is to change how you use the web and what you see and find easily.

    I say encrypt everything! Today no one should be communicating without using free public key encryption!

  18. Gary
    February 20, 2008 at 4:11 am

    A far superior method is to use
    Free, automatic email notification.
    Hide the linkblip url using another url shortening service eg. if you want.

  19. John
    February 19, 2008 at 5:36 pm

    Here are two freeware programs that can also protect your email and all your passwords.

    PointCrypt can be used to quickly encrypt any emails you send between other people you know. You only have to make two clicks to encrypt and decrypt the email contents. Strong BlowFish 64 encryption.

    Screen Saver Override has several features within, one allows for you to type in a simple password that you can always remember, then highlight it, and then press a function key (F8, etc). The password will be converted to a complex string from 8 to 32 characters long (you choose the length). This hard password then replaces the simple password where upon you can simply hit enter.

    Also can search: Gulf Coastal Software

  20. ldenoyer
    February 19, 2008 at 3:09 pm

    Will this trick tell me if FISA is reading my mail?

  21. Argo
    February 19, 2008 at 2:40 pm

    I store my password on PassPack. It is a great solution, in my opinion. I love 1click auto-login

  22. Ianf
    February 19, 2008 at 6:52 am

    How is that an “electronic tripwire”?

    For starters, the indicated method doesn't tell you IF your email account has been hacked UNLESS this “honeypot-sounding” file accessed online; a dedicated “cracker” (not “hacker”) would surely download it to desktop/ inspect first offline. Clearly, it assumes that all crackers are utter morons, unable to see through such gee-advanced plot, such as this one of yours.

    There are social engineering and technological methods to detect mail intrusion without giving the game away, but nowhere near this simplistic, and this is not the forum to disclose them, thus educating wannabe-crackers.

  23. Steven
    February 19, 2008 at 5:12 am

    Would never work if the guy has half a brain... Why would you execute a file called passwords.htm? No one stores their passwords in an HTML file, if you're that new where your passwords are stored in a single file; you probably don't know how to create an HTML file.

    The best way to protect your email account is good and simple; change the password often, and check your settings... make sure no one setup all your messages to be forwarded somewhere else.

  24. Larry Lizzard
    February 19, 2008 at 4:13 am


    My online bank account does the same. It shows the last time you logged in and the IP address.

    I have submitted feedback to Gmail through their Help > Feedback. If everyone reading this, does the same, Gmail should pick it up soon I hope.

    A friend of my wife had the same problem with an ex-lover stalking here. He had placed a key logger program. That friend is blond, so she didn't know how to remove it ;-) This guy went quite crazy, even stalking here father etc.

  25. Shanti Braford
    February 19, 2008 at 2:48 am

    Nice tip =)

    I'll have to try this one.

  26. kaushik
    February 19, 2008 at 2:09 am

    How about being a little alert so that your account don't get hacked in the first place?


    If you account is hacked, 99% of the time you are fault.

  27. Sangesh
    February 19, 2008 at 1:48 am

    I will try these suggestions. Thanks for this.

  28. dave
    February 19, 2008 at 1:19 am

    Why doesn't gmail just show the IP/ISP and time of the last login. If it's not your IP or at the wrong time you've been hacked. Some linux distros already show this info when you login via terminal.

    The only way round this is for the hacker to access the account from your connection at the same time you do. Not many hackers will go to these lengths.

  29. kualla
    February 19, 2008 at 12:50 am

    This is exactly the one security feature I wish google had (but my idea was slightly different)...

    Knowing a lot about web security vulnerabilities this has always made me very leary about using email anywhere but my own home and even then a bit worried someone could attempt to hack or crack into my account.

    My idea for Google email which I DID recommend to them is that they simply put a last login time or last accessed time. Simple yet very effective but until then this method will have to do and is a great idea. Only one downside about my method is that if a Google employee were to log into your email account and snoop around they could simply reset the last login time back. So in a way this is more secure against Google but then again Google could simply download your email as a text only file and circumvent the HTML from being loaded

  30. mark
    February 19, 2008 at 12:24 am

    haha, very nice trap!

  31. chris
    February 18, 2008 at 10:47 pm

    great! i just did this.

  32. Brad
    February 18, 2008 at 10:16 pm

    PC World had something on this a while ago; I subscribe to it.

  33. terry xu
    February 18, 2008 at 9:14 pm

    Greate idea.

    I've just try it out. Hope nobody have stole my gmail account. It's terrible.

  34. Jordan
    February 18, 2008 at 8:43 pm

    For GMail users it would be better to embed the counter HTML/image or whatever, directly into an e-mail so it is opened when the e-mail is viewed. GMail users will have to click "Always Display Images for" to ensure that it will be accessed. People with their own domains can set up their own snazzy traps, to avoid using third-party stuff. For example Apache with MultiViews enabled in the .htaccess will allow such a thing as tracker.gif.php that will be accessible as tracker.gif, when accessed you could write the data to a log file, or send an e-mail to your phone. Snazzy indeed.

    I'm gonna go make my own right this second.

  35. Roman Geyzer
    February 18, 2008 at 8:28 pm

    Although I haven't personally used this service, there are only two "effective" ways to count a hit on an email. The first is if a small image, usually a 1x1 pixel image, is embedded in the page and is hosted by the counter service website OR for there to be a script that is fired off when the page is opened...again, hosted from the counter service website. The trouble is that most email browsers have a "click here to download images". Only if the user grants permissions to download images will anything besides cleartext be displayed, rendering the hit-counter inoperable. A smart hacker would not likely click to download images. But you're roommate - you'd probably catch them without much trouble :-)

  36. Justin Shattuck
    February 18, 2008 at 8:13 pm

    This is all ultimately worthless. The real issue; if your email service is compromised comes down to good old user-prevention. Create strong passwords, change modestly strong passwords (less than 7 characters,) regularly. Do not save passwords in your browser, text files, or on post it notes under your mouse pad!

    Scan regularly, keep your computer tidy -- fundamental elements that should all be followed prior to even feeling safe on a computer. Prevention is key to successfully maintaining your identity, online or off-line.

    Stay ahead; be proactive!

  37. hedgie
    February 18, 2008 at 7:44 pm

    Another thing you can do, especially if you are using Gmail is go into the .txt file, search for "fraud click" and change it to something else (because in the gmail message and if you open the html file in gmail it shows the alt text and link text in the message summary. (there are two instances of "fraud click" in the script.

  38. Ben Metcalfe
    February 18, 2008 at 6:59 pm

    It's a nice and elegant method, but as mentioned above has holes and weeknesses.

    I think it just supports the point that if your email box is at all sensitive (passwords, accounts, etc) you should be changing your password once a month at the very least.


  39. Markus Diersbock
    February 18, 2008 at 6:31 pm

    This would never work.

    A savvy techie would open an unknown html doc in a
    text editor first.

  40. Steve
    February 18, 2008 at 6:13 pm

    This is pretty lame. You have to check *every single day* just on the offchance that somene has not only hacked your account, but taken the bait. That's a lot of negatives, and probably some false negatives. It seems to rely on someone being smart enough to figure out your password, but dumb enough to think that your "passwordlist" is going to be stored on some external site with no password. Uh...

    I can think of security measures that would work (eg, an innocuous looking image or something that you must click within 5 seconds of logging in or trigger a password-changing alert), but they'd have to be built into the email software.


  41. Jeroen
    February 18, 2008 at 6:12 pm

    Or use a embedded counter image on a seperate website as a counter. And save a normal HTML mail without any a attachment that might not be opened. And hope the email gets openend with auto download www images on.

  42. Stolen
    February 18, 2008 at 6:07 pm

    Looks like the original article was written by Erik Larkin at Network World:

  43. Eric
    February 18, 2008 at 5:37 pm

    Like Justin said, this doesn't seem to be helpful against hackers...

    Rather, IMHO, I think this is better suited for catching your roommate/spouse/siblings/parents checking your e-mail rather than expecting to catch a hacker.

    I know you say its not meant to be foolproof, Mark, but it still gives false hope... and false hope that your account has not been taken over is the very thing your system is supposed to fix =P.

  44. marsteel
    February 18, 2008 at 10:58 pm

    if the hacker blocks his pc's outbound connection to

  45. Jack Sparrow
    February 18, 2008 at 8:18 pm

    Sometimes I get into my ex-girlfriend´s mail account to read her emails, I didn't hack it, I have always known the password because I created the account and she never thought to change the password even after our breakup.
    I read it then I always mark the email as unread.
    Yeah I´m a bastard but I cant get over her.

  46. Justin Shattuck
    February 18, 2008 at 8:59 am


    Although this may function to reveal someone snooping your inbox; it is not going to catch someone who is definitely intelligent enough not to be caught. To be completely honest, especially as an individual with a background in security; it would not be executed. The file would be edited initially through vi, notepad, or any other text-based editor to reveal its contents prior to any execution.

    This prevents people from having things exposed. However, using this psychology against hackers is entertaining because it is the same psychology that is used against their targets and victims.

    Decent write-up but I don't think it is going to stop anyone from doing anything; especially if they know what they're doing.

    • Mark O'Neill
      February 18, 2008 at 11:18 am

      Oh I never said it was foolproof. I for one wouldn't fall for it. But there's a lot of stupid people out there that would click on the attachment. So there's no harm in trying it and seeing who you snare with it.

      • Anonymous Coward
        February 18, 2008 at 10:37 pm

        I believe the harm is an implied, yet false, sense of security.
        Since you speak of "a lot of stupid people" on the bad side of the fence, you may want to preface your article with some notes about the flaws in your implementation to keep the "stupid people" on the friendly side of the fence from lapsing into a false sense of security and thinking they haven't been compromised when they actually have.
        I place "stupid" in quotes because I am reusing the term, not intending it for the actual meaning it implies.

        Your idea is novel but I would recommend emphasizing 3 things a bit more:
        - Password security in the first place (good password practices)
        - For the article to work two HUGE assumptions are being made:
        - The person who has succeeded in logging in is going to find the bait
        - This person is going to bite the bait and open the attachment in a browser, which assumes:
        - This person thinks the victim is silly enough to have a password list e-mailed to himself with most e-mail traffic is plaintext and insecure in the first place.
        - This person is silly enough himself/herself to open an html attachment in a browser as opposed to vi, notepad or your editor of choice as mentioned by Justin. Most e-mail programs don't deliberately disable the loading of images and external scripts from HTML e-mail for fun.

  47. marc
    February 18, 2008 at 8:53 am

    sounds like an a good idea, i have to try this out!

  48. Peter
    February 18, 2008 at 7:51 am

    That seems like a lot of work. If you have any concerns that the account has been compromised why not just change the password and be done with it?

    • Mark O'Neill
      February 18, 2008 at 11:16 am

      Yeah but the whole point is that there is no way to know the account has been compromised. This method alerts you that the account has indeed been compromised.

    • RandomReader
      March 7, 2008 at 2:04 am

      In Gmail, changing the password might not solve the problem. If someone has already hacked your account and has an open session, and you change the password on your computer, the other other one won't be kicked out of your account. Its current session will remain active and access to email unhindered.

      I tried, and that's true from my experience.

      • yugun
        May 26, 2009 at 1:23 pm

        you can logout all other sessions by clicking 'details' link at the bottom of the gmail page.

  49. Prakash
    February 18, 2008 at 3:22 am

    This is surely a grate piece of tips that should try everyone, I think. Thanks for sharing this new idea.

  50. robojiannis
    February 18, 2008 at 3:15 am

    one way to secure your emails is Pretty Good Privacy. You can encrypt the mail you are sending and also put a signature on them.

    No cracker will phish them on their way and your signature validates your identity.

  51. Jack
    February 18, 2008 at 1:44 am

    Correct URL for OneStat free hit counter should be:

    • Aibek
      February 18, 2008 at 11:01 am

      Changed !
      Thank you

  52. TechSilo
    February 17, 2008 at 11:13 pm

    Wow! Very nice tips! I never realize people can hack our email easily, and honestly I dont care about it. Since I'm using Gmail, I think it 100% safe. We trust Google, do we? I'll definitely try this out. Hope the One Stat dont get hack later on.. ;-)

    • Jordan
      February 18, 2008 at 8:38 pm

      I'm sorry, but most things are not 100% safe, GMail included.
      For example, if you're not using a secure connection to GMail, and you're on the same network that I am, then I would be able to sniff your traffic, copy your cookies and log right into your account, no password needed. I would not know your password, but I would have full access to your account. Please don't assume you're 100% safe.

      • kunal
        August 21, 2009 at 7:55 am

        But after getting the ip how can one know the password???
        plz help

    • Tara Kelly (PassPack)
      February 19, 2008 at 3:46 am


      Yeah, unfortunately like the article mentioned, people are using Gmail to store their passwords. This is a good trick to figure out if someone manages to get in ... but it's probably just better NOT to store sensitive info in there in he first place.

      At least for passwords, there are tools out there built to protect them properly.

      Why you need a password manager.


      • RandomReader
        March 7, 2008 at 2:01 am

        Nicely plugged your own site there!

      • Passpack Client
        October 12, 2009 at 11:51 am

        Passpack was actually recommended by a friend and private investor. I tried it and had some problems with the site. I've sent in at least 4 tickets to the "customer support" and never heard a peep. Nice concept, poor execution.

  53. Syahid A.
    February 17, 2008 at 10:33 pm

    Very nice use of onestat Mark. I will definitely try this on my email account.

    • erik is a twit
      February 20, 2008 at 12:47 am

      Too bad the DEFAULT for ALL clients and webmail alike is to NOT SHOW IMAGES.

      email security = encryption

      Don't want someone reading your email? Use a secure environment, and follow security best practices.

      All web servers default to logging referer information. Do it yourself if you must.. keeping in mind its a waste of time given how images are NOT loaded by default in email.

      Email from one sender to another is not a one step process. It can be intercepted on anyone of the stops, and more likely so if one of the stops is via an AT&T router since they're whored themselves out, along with google, to the NSA.

Leave a Reply

Your email address will not be published. Required fields are marked *