While reviewing how VERP (http://en.wikipedia.org/wiki/Variable_envelope_return_path)is implemented in Moodle (see $CFG->handlebounces and related setting in config-dist.php), I realized some interesting facts:

• It cannot work in recent Moodle version (since CLI_SCRIPT constant has been introduced), yet nobody spotted it. Apparently it is not used much.
• Also, the SMTP setup instructions are obsolete as today, we cannot execute Moodle scripts via an user account that does not have write access to moodledata (even if they do not use moodledata and DB). Which itself is a good feature/check, not a bug.
• Currently it has certain design limitations. The intention (see commit bb64b51a from 2005) was that beside the email bouncing handling, activity modules could implement a callback to handle incoming emails. Not only we have much more plugin types today, but also the implementation expects that all module ids in the {modules}

  table are lower than 256 (see how pack() is used). Which can potentially lead to serious problems.

• A question comes to my mind - do we really these callbacks into plugins? I am not aware of any single plugin that would use it. And today, with the web services framework, I believe there are more better and secure way of doing such things. I would personally be happy with the proper email bouncing protection implemented.