Currently, as soon as an account is created on wikitech, the corresponding $user@tools.wmflabs.org works, regardless of whether the user has shell access or is a member of the Tools project. This is especially troublesome if a user is blocked in either of those, because the forwards will continue to work.
Instead, those mail addresses should only be accepted if the user is a member of the Tools project. This also applies to indirect tool maintainers' forwards (tools.$tool@tools.wmflabs.org).