I decided to put this page together because the subject has come up several times recently in newsgroups that I participate in, and it's easier to point someone to a web page than it is to explain it over and over.
Please note that if you're using a real email address and inserting a phrase like "RemoveThis", "Delete", "nospam" or anything similar you will get spam to that address. A spammer recently sent me part of his mailing list by accident. It contained 50,000 addresses, and only covered a little more than 3 letters of the alphabet. And it included 3 of my addresses. Someone had cleaned up the list removing the obvious phrases. At least the ones in English. I have it on good authority that similar phrases in Polish remained, probably other languages too. But you can't count on something that simple to protect an email address anymore.
There are two basic things to keep in mind. [1] Never expose a valuable address to spammers and [2] never use an email address that you don't have a right to use. If you don't own an address or have explicit permission to use it, you shouldn't use it.
If you want to use a munged address for newsgroups the first thing you have to decide is if you want people to be able to contact you by email. If you don't, then use a truly invalid address. If you do, use a disposable address. You can start with a disposable address and use the principles of creating an invalid address to make a munged address. A munged address is one that is invalid as presented, but can be modified to become valid. The reason for starting with a disposable address is so that you can dump it and get a new one if it gets more spam than you're comfortable with. Bear in mind that a munged address is going to cut down on legitimate responses from people who can't be bothered to unmunge it to do you a favor. If you do decide mung, please be sure to explain how to un-mung it. Don't assume it will be obvious. People use legitimate addresses that look like they're munged, but they're not. Assuming can be dangerous.
This is particularly true on Usenet. But it also applies on private news servers since they are often harvested by spammers too. Also be aware that many mailing lists end up archived on a web page, where your address can be vulnerable to harvesting, although most I've seen now conceal the addresses. Most web forums that I've looked at allow you to hide your address, so they're somewhat safer, assuming they've done it correctly. I recommend using the same techniques there if possible just to be safe.
To avoid generating spam myself from addresses on this page, I'll use the RFC 2606 compliant domain example.com in my examples. Substitute your ISP or whichever domain you are entitled to use for example.com. I apologize for any confusion that may cause, but it's all about not generating any more spam.
Also keep in mind that spam bots will sometimes harvest Message IDs since they contain an @ symbol. Spam bots are stupid. So if your newsreader generates it's own MIDs (Outlook Express does not) you want to set that to also use a truly invalid domain if you can. The same methods can apply. There may be as many as three fields to use these methods on:
Munged addresses and invalid addresses are done the same way, but the base address that you start with is different. For a munged address you need to start with a valid address.
When creating a munged address it's important to use one that won't impact someone else. Not only is it rude, it probably violates the TOS of your internet provider. You don't want to use an address that belongs, or may ever belong, to someone else unless you have permission to do so. And remember that just because an address doesn't exist today doesn't mean it won't exist tomorrow, or next year. That includes currently non-existent Top Level Domains (TLDs). Several years ago who would have expected .tv to become a valid TLD? The only truly invalid TLD to use is .invalid. See RFC 2606. Note that "invalid" must be after the last dot as in foo@example.invalid. If you use an address that is even partly valid, it can cause spam to be generated for the actual owner of that address or domain. Some domains on the internet are unusable for email because so many people have used them as improper spam mungs. One example is nospam.com, which I'm specifically not linking to here since it's apparently been taken over by an Overture powered search engine. Other examples are invalid.com and invalid.net. Those are all valid domains, so they're not acceptable to use in address munging.
To create a munged address you need to start with your own (preferably disposable) address, foo@example.com. It's generally considered to be acceptable to use foo@example.com.invalid or foo@example.invalid because any spam sent to those addresses (spam bots are stupid) will not go anywhere. Although the spammers may take foo@example.com.invalid, strip off the .invalid and start sending spam to foo@example.com. Or in the second case they could send to foo at example.com, example.net, example.org etc., so that's not optimal in my opinion. That's the problem with using any sort of common mung, the spammers can adapt to it. Be sure to include instructions on how to make the address usable, don't assume that it's obvious, people use some very odd but real addresses. Keep in mind that if you put the instructions in your sig, they'll be removed when someone using a compliant newsreader replies to your message.
It's not OK to use:
foo@deleteexamplespam.com or any other variation of an existing, valid domain name. There is simply no way to guarantee that someone won't want that domain someday. If so, they will get your spam.
foo@nospam.example.com because the example.com part is valid and spam could be sent to the servers at example.com.
foo.nospam@example.com because spam will be sent to the servers at example.com. And someone may even end up using that name. There's a reason for that: some worms that harvest email addresses avoid addresses with "nospam" in them, so some clueful people on Usenet use addresses containing that phrase.
foo.delete@example.com or foo@delete.example.com for the same reasons as above.
foo@example.com where that's a valid address and anything other than your own address. So you can't use microsoft.com no matter how much you dislike them. Or linux.org, or domains like nospam.com or spammerssuck.com or anything else that seems amusing, or insulting to spammers, or cute, because they are or could be valid domains. If the address is routeable over the internet, it will get spammed. Even if the foo part is not an actual address, the spam will still go to the servers for that domain and they have to deal with it. And it just clogs up the internet. And please note that privacy.net used to allow people to use "me" at their domain and then any email to that address would bounce with a note explaining that it wasn't a real address. However it appears that policies at the domain have changed, and that's no longer explicitly permitted, which means you shouldn't do it. Like nospam.com, privacy.net is now apparently affiliated with overture.com and provides a search engine.
Also, if you're going to mung your address, and then include instructions on how to contact you, please make them match. Some people's instructions say something like "Remove 'don't spam' and change 'invalid' to 'com' in my From to contact me". but if you look at the From it says something like "nospam.invalid.invalid". Obviously they changed one and not the other. If you want contact, make it easy for them. Otherwise just make it impossible, nobody wants to have to guess if an address will work. Besides which, if people are thinking about contacting someone privately to tell them about something embarrassing that they apparently posted accidentally, they're much less likely to do it if they have to jump through a bunch of hoops. And if the instructions say something like "remove every third character to get my real address" I know that I'll never bother to try.
If you really don't want to get email, use a really invalid address like foo@invalid.invalid, nospam@invalid.invalid or invalid@invalid.invalid. foo@[127.0.0.1] or foo@localhost also work because if someone sends spam to them, they don't leave the sending computer. However some newsreaders won't accept an address that doesn't have the correct syntax. And some others may not display it the way that you intended. And see above for examples of types of supposedly invalid addresses not to use.
One choice is to use a site that offers disposable addresses. I've used Sneakemail for years. They have free and paid services and are useful for much more than a newsgroup address. It's a great place to get an address to use when you have to register for something. Spamgourmet.com has been recommended by others too. There are other sites providing similar services. I can't vouch for anything that that link turns up, Sneakemail is the only one I've used personally.
If you have your own domain, or if your ISP allows you multiple addresses, create one just for newsgroups. Confirm that you'll have the ability to dump that address if you need to. If you want to really keep an eye on things, create a different one for different newsgroups or servers. That way you can determine where it gets harvested and how long it takes, if you care.
One simple solution is to create an address like newsJan05@example.com. If it gets spammed after a few months, stop accepting mail to that address and create newsJul05@example.com, or any other naming convention that makes sense to you.
Many people advise creating an address that contains the phrase "nospam" or "delete", like foodelete@example.com, since at least some worms won't send themselves to addresses containing those words. Make sure that phrase is on the correct side of the @ when you use it. Remember, it's a working address. The correct side in this case [unless you can create subdomains for your domain] is the left side of the @. foodelete@example.com would go to foodelete at example.com, so if that's you, that's the way you want to create the disposable address. foo@deleteexample.com would go to foo at deleteexample.com, which wouldn't work unless that's your domain. foo@delete.example.com would probably route to example.com, but most likely wouldn't get to you unless you have control over sub-domains. You may want to include a comment in your sig that the address is valid 'as is' to avoid confusion.
Bottom line, if you're going to break an email address to avoid having it harvested for spam, break it in a way that won't cause spam for someone else. If you're going to use a real address, do it right and you can minimize your spam exposure.
A couple of final thoughts. Never bounce spam. Most From addresses in spam are forged, so there's no point in sending bounces there. They'll either go nowhere in the case of an invalid address, or to an innocent 3rd party if the forged address happens to belong to someone. I know of people who have received tens of thousands of bounces for spam that they didn't send. If you'd like to report your spam and help clean up the internet, you can use Spamcop for free.
For more details on some of this you can also check my section on spam avoidance.
The best FAQ on address munging that I have found is several years old and somewhat out of date. But it's much more comprehensive and technical than what I have here. And I blatantly copied my disclaimer from that FAQ. There's more information on address munging at Wikipedia. Keep in mind that munging (or disguising) an address has some disadvantages. At best, munging an address is inconvenient for someone who wants or needs to contact you. At worst, it's unusable. I prefer a combination of invalid and disposable addresses.
Not everybody agrees that munging is a good idea, some people do not like munging at all. Personally, I prefer an invalid From, and a valid (but disposable) Reply To address.
And in case you're interested, it is spelled either mung or munge. Both have a history and both are percieved as correct by at least some people. A good case can be made for both, but for some reason I started this page with mung, and I've decided to keep it that way for consistency.
This document reflects the opinions of the author. This document is provided "as is" without any express or implied warranties. While every effort has been taken to ensure the accuracy of the information contained in this article, the author/maintainer and/or contributors assume(s) no responsibility for errors or omissions, or for damages resulting from the use of the information contained herein.