Signed VERP in Ibex Mail

Signed VERP (including implementations such as BATV) addresses two important problems:

  1. Backscatter is becoming an increasingly severe problem.

  2. Users of spam filtering systems often do not receive automatically-generated replies to their messages.

Signed VERP solves both of these problems.

This feature is implemented and is currently being tested

Ibex Mail is designed to act as both an outbound SMTP server and inbound mail receiving agent for users. Acting as both components enables coordination between the outbound and inbound SMTP streams, which can be used to implement features such as Signed VERP.

The Envelope-From (also called MAIL_FROM or Return-Path) on all messages relayed by Ibex Mail are cryptographically signed and timestamped using VERP.

Note that only the SMTP-level envelope addresses are changed; the From, Sender, and Reply-To headers of the messages are not altered, so the signed and stamped addresses are only visible to recipients if they inspect the message headers. Here is an example of what these addresses look like:


Challenge-Response Bootstrapping

When Ibex Mail receives a message with a VERP-signed Envelope-From, it bypasses all other spam filtering mechanisms, including challenge-response whitelisting. This ensures that when an Ibex Mail user who has C/R enabled sends a message to another C/R user, the resulting challenge is delivered to the originating user.

Backscatter Blocking

Delivery status notifications (commonly called “bounce messages”) can be distinguished from regular email by the fact that they are sent with their Envelope-From set to the empty string, like this:

RCPT TO:<VERP--119780908af-e90f-A8ylv2pW/>
Subject: Returned mail: see transcript for details

When Ibex Mail receives such a message, it examines the Envelope-To (also called RCPT_TO). If this address bears a valid VERP signature with a timestamp less than 10 days old, the message is accepted as legitimate; otherwise it is discarded as likely backscatter.


If an email is sent from an Ibex Mail user's email address but not via Ibex Mail as the outbound SMTP server (for example, an “evite” or similar email sent with a “legitimately faked” address), such messages will not be VERP-signed, and any bounce messages they may generate will be discarded.

In theory, anybody who sees one of these addresses has an 10-day license to bypass all of my spam prevention measures and deposit unlimited amounts of unwanted mail in my inbox. In practice, this has never happened; if it did, this could be mitigated by accepting at most one email per uniquely signed address.