Signed VERP in Ibex Mail
Signed VERP (including implementations such as BATV) addresses two important problems:
Signed VERP solves both of these problems.
Ibex Mail is designed to act as both an outbound SMTP server and inbound mail receiving agent for users. Acting as both components enables coordination between the outbound and inbound SMTP streams, which can be used to implement features such as Signed VERP.
The Envelope-From (also called MAIL_FROM or Return-Path) on all messages relayed by Ibex Mail are cryptographically signed and timestamped using VERP.
Note that only the SMTP-level envelope addresses are changed; the From, Sender, and Reply-To headers of the messages are not altered, so the signed and stamped addresses are only visible to recipients if they inspect the message headers. Here is an example of what these addresses look like:
When Ibex Mail receives a message with a VERP-signed Envelope-From, it bypasses all other spam filtering mechanisms, including challenge-response whitelisting. This ensures that when an Ibex Mail user who has C/R enabled sends a message to another C/R user, the resulting challenge is delivered to the originating user.
Delivery status notifications (commonly called “bounce messages”) can be distinguished from regular email by the fact that they are sent with their Envelope-From set to the empty string, like this:
Subject: Returned mail: see transcript for details
When Ibex Mail receives such a message, it examines the Envelope-To (also called RCPT_TO). If this address bears a valid VERP signature with a timestamp less than 10 days old, the message is accepted as legitimate; otherwise it is discarded as likely backscatter.
If an email is sent from an Ibex Mail user's email address but not via Ibex Mail as the outbound SMTP server (for example, an “evite” or similar email sent with a “legitimately faked” address), such messages will not be VERP-signed, and any bounce messages they may generate will be discarded.
In theory, anybody who sees one of these addresses has an 10-day license to bypass all of my spam prevention measures and deposit unlimited amounts of unwanted mail in my inbox. In practice, this has never happened; if it did, this could be mitigated by accepting at most one email per uniquely signed address.