Forging an email is the easiest thing in the world. Once you see how easy it is then I think you’ll understand why you should never trust the From header in an email.

A while ago I used the Montagues and Capulets to explain how the domain name system worked. I’ll do the same again to show how easy it is for anyone to spoof your email address.

The plot thickens!

As per the story, Romeo and Juliet are separated after the party. Tybalt wants to kill Romeo and knows he can use the lure of Juliet to trap him. Tybalt’s email address is tybalt@capulet.net but he wants to email romeo@montague.net as Juliet.

Ordinary email programs don‘t allow you to pretend to be someone else (though they could if they wanted). But when a program sends an email it is just having a very simple conversation with a mail server using a predefined protocol. So all Tybalt needs to do is have that same ’conversation’ with the mail server.

A program called telnet lets you get down to the gritty details. You can pretend you’re an email program, a web browser or anything else, as long as you give the correct response to the questions you receive from the other computer.

Tybalt gets started

First, he has to log in to the Capulet family mail server using telnet. The line with the dollar sign is where he runs it from the command line. You can easily try this at home if you know the name of your mail server.

$ telnet mail.capulet.net 25
Trying 192.168.2.14...
Connected to mail.capulet.net (192.168.2.14).
Escape character is '^]'.

The mail server sends messages prefixed with a number. This is the status code which your email program would recognise and respond to. The words on the rest of the line are put there for the benefit of people who want to test the system at this low level (or subvert it). Any line which doesn’t begin with a number is written by Tybalt.

First, the mail server identifies itself and then Tybalt does likewise—and pretends to be Juliet’s laptop.

220 mail.capulet.net ESMTP
HELO julietslaptop

The mail server then shows that it’s ready to take commands. This is where Tybalt pretends the email is coming from Juliet’s address and going to Romeo:

235 Nice to meet you julietslaptop
MAIL from: juliet@capulet.net
250 OK ... Sender accepted.
RCPT to: romeo@montague.net
250 OK ... Recipient accepted.

Then Tybalt has to tell the mail server to receive the content of the email, using the DATA command. Notice that he puts To and From information in this part of the message too. If he omitted these then Romeo would still get the message but the To and From headers in his email program would appear blank. This is like putting ‘Dear Romeo’ and ‘from Juliet’ inside the letter—the bit above is just the address on the envelope.

DATA
354 Ready for message. Enter "." on its own line to finish.
From: "Juliet" juliet@capulet.net
To: "Romeo" romeo@montague.net
Subject: secret meeting

Come to the town square at midnight, behind the clock.
Come alone and make sure you're not followed.

J. xxx
.
250 OK Message transmitted ID 82679401

The dirty deed is done. Tybalt can log off and head out to capture Romeo unawares.

Or will he?! Find out next time…

I'm looking for advice here. I want access to a proper web host with enough space and reliability to do whatever comes to mind. I find the idea of a virtual server quite appealing. That would give me significant freedom in setting up my system or choosing the specific server configuration I want.

What do other people recommend? Ideally I would like:

• Space to store big files (movies, music) should I want to transfer them elsewhere.
• The bandwidth/transfer quota to do that if I need to. I don't want to pay through the nose for thousands of gigabytes transfer that I'm not using, but if I want to boost it for particular occasions that would be good.
• Remote login for multiple users, so I can give limited accounts to family members for their own use.
• Nippy access. I would prefer something local (to me) so Scotland-based, or UK-based, would be better than California.
• Ability to install what I want: so my own IRC or jabber daemon, Darcs, and so on. Whatever takes my fancy, rather than something from a limited set of 'approved' programs.

What have you used in the past, and who do you find to be reliable? I'm not going to rush in to this but I'm getting pretty fed up of consumer-broadband upload and consumer-grade routers. Something with the flexibility of my own machine but the reliability of a hosting service. For the price of a small bag of chips and an Irn Bru, if possible. ;-)