I decided to put this page together because the subject has come up several times recently in newsgroups that I participate in, and it's easier to point someone to a web page than it is to explain it over and over.
There are two basic things to keep in mind.  Never expose a valuable address to spammers and  never use an email address that you don't have a right to use. If you don't own an address or have explicit permission to use it, you shouldn't use it. Once an address is harvested you can never get it back, it's better to be cautious. I have an address that was harvested off a friend's computer by a virus over 8 years ago, and it's now worked it's way onto several spam lists.
If you want to use a munged address for newsgroups the first thing you have to decide is whether or not you want people to be able to contact you by email. If you don't, then use a truly invalid address. If you do, use a disposable address. You can start with a disposable address and use the principles of creating an invalid address to make a munged address. A munged address is one that is invalid as presented, but can be modified to become valid. The reason for starting with a disposable address is so that you can dump it and get a new one if it gets more spam than you're comfortable with. Bear in mind that a munged address is going to cut down on legitimate responses from people who can't be bothered to unmunge it to do you a favor. If you do decide mung, please be sure to explain how to unmung it. Don't assume it will be obvious, what's obvious to you may not be obvious to others. As one example some people use legitimate addresses that look like they're munged, but they're not. Assuming can be dangerous.
This page primarily applies to Usenet. But it can be used on private news servers since they are often harvested by spammers too. Also be aware that many mailing lists end up archived on a web page, where your address can be vulnerable to harvesting, although most I've seen now conceal the addresses. Most web forums that I've looked at allow you to hide your address, so they're somewhat safer, assuming they've done it correctly. I recommend using the same techniques there if possible just to be safe.
To avoid generating spam myself from addresses on this page, I'll use the RFC 2606 compliant domain example.com in my examples. Substitute your ISP or whichever domain you are entitled to use for example.com. I apologize for any confusion that may cause, but it's all about not generating any more spam.
Keep in mind that spam bots will harvest Message-IDs since they contain an @ symbol. If your news reader generates it's own MIDs (Outlook Express among others does not) you want to set that to also use a truly invalid domain if you can. The same methods can apply.
There may be as many as three fields to use these methods on:
Note that these instructions should only be used for news posts, you don't want to mung addresses in email since they aren't exposed to the same spamming risks and you almost certainly want an email response.
Munged addresses and invalid addresses are done the same way, but the base address that you start with is different. For a munged address you need to start with a valid address.
When creating a munged address it's important to use one that won't impact someone else. Not only is it rude, it probably violates the TOS of your internet provider. You don't want to use an address that belongs, or may ever belong, to someone else unless you have permission to do so. And remember that just because an address doesn't exist today doesn't mean it won't exist tomorrow, or next year. That includes currently non-existent Top Level Domains (TLDs). Several years ago who would have expected .tv to become a valid TLD? The only truly safe invalid TLD to use is .invalid. See RFC 2606. Note that "invalid" must be after the last dot as in firstname.lastname@example.org. If you use an address that is even partly valid, it can cause spam to be generated for the actual owner of that address or domain. Some domains on the internet are unusable for email because so many people have used them as improper spam mungs. Some examples are nospam.com, noemail.com, invalid.com and invalid.net. I'm deliberately not linking to any of those sites since the original owners apparently gave them up and they've been taken over by search portals or worse. Which just shows how much traffic they get. But those are all valid domains, so they're not acceptable to use in address munging.
To create a munged address you need to start with your own (preferably disposable) address, email@example.com. It's generally considered to be acceptable to use firstname.lastname@example.org or email@example.com because any spam sent to those addresses (spam bots are stupid) will not go anywhere. Although the spammers may take firstname.lastname@example.org, strip off the .invalid and start sending spam to email@example.com. Or in the second case they could send to foo at example.com, example.net, example.org etc., so that's not optimal in my opinion. That's the problem with using any sort of common mung, the spammers can adapt to it. Be sure to include instructions on how to make the address usable, don't assume that it's obvious, people use some very odd but real addresses. Keep in mind that if you put the instructions in your sig, they'll be removed when someone using a compliant news reader replies to your message.
It's not OK to use:
firstname.lastname@example.org or any other variation of an existing, valid domain name. There is simply no way to guarantee that someone won't want that domain someday. If so, they will get your spam.
Also, if you're going to mung your address, and then include instructions on how to contact you, please make them match. Some people's instructions say something like "Remove 'don't spam' and change 'invalid' to 'com' in my From to contact me". but if you look at the From it says something like "nospam.invalid.invalid". Obviously they changed one and not the other. If you want contact, make it easy for them. Otherwise just make it impossible, nobody wants to have to guess if an address will work. Besides which, if a reader is thinking about contacting someone privately to tell them about something embarrassing that they may have posted accidentally, they're much less likely to do it if they have to jump through a bunch of hoops. If the instructions say something like "remove every third character to get my real address" I know that I'll never bother to try.
If you really don't want to get email, use a really invalid address like email@example.com, firstname.lastname@example.org or email@example.com. firstname.lastname@example.org or foo@localhost also work because if someone sends spam to them, they don't leave the sending computer. If it's going to be really be invalid, no part of it should contain anything usable because some spammers will make "corrections" and send spam anyway. However some newsreaders won't accept an address that doesn't have the correct syntax. And some others may not display it the way that you intended. And see above for examples of types of supposedly invalid addresses not to use.
Bottom line, if you're going to break an email address to avoid having it harvested for spam, break it in a way that won't cause spam for someone else. If you're going to use a real address, do it right and you can minimize your spam exposure.
A couple of final thoughts. Never bounce spam. Most From addresses in spam are forged, so there's no point in sending bounces there. They'll either go nowhere in the case of an invalid address, or to an innocent 3rd party if the forged address happens to belong to someone. I know of people who have received tens of thousands of bounces for spam that they didn't send. If you'd like to report your spam and help clean up the internet, you can use Spamcop for free.
For more details on some of this you can also check my section on spam avoidance.
The best FAQ on address munging that I have found was last updated August 8, 1999 and is somewhat out of date. But it's much more comprehensive and technical than what I have here. And I blatantly copied my disclaimer from that FAQ. There's more information on address munging at Wikipedia. Keep in mind that munging (or disguising) an address has some disadvantages. At best, munging an address is inconvenient for someone who wants or needs to contact you. At worst, it's unusable. I prefer a combination of invalid and disposable addresses.
Not everybody agrees that munging is a good idea, some people do not like munging at all. Personally, I prefer an invalid From, and a valid (but disposable) Reply To address.
And in case you're interested, it is spelled either mung or munge. Both have a history and both are perceived as correct by at least some people. A good case can be made for both, but for some reason I started this page with mung, and I've decided to keep it that way for consistency.
Keep in mind that I am not responsible for any external sites linked to from my pages. They may look different to you, or even have effects on your browser or computer that are different than what I see due to different security settings and browsers. They could have also changed since I looked at them. To the best of my knowledge, they are all safe. But you surf at your own risk.
This document reflects the opinions of the author. This document is provided "as is" without any express or implied warranties. While every effort has been taken to ensure the accuracy of the information contained in this article, the author/maintainer and/or contributors assume(s) no responsibility for errors or omissions, or for damages resulting from the use of the information contained herein.
The only information that I collect is page hit counts. My web host Penguinhost.net keeps track of lots of things and makes the information available to me in pretty graphs and logs. I look at them occasionally, but there is no personally identifiable information there.