I decided to put this page together because the subject has come up several times recently in newsgroups that I participate in, and it's easier to point someone to a web page than it is to explain it over and over.

There are two basic things to keep in mind. [1] Never expose a valuable address to spammers and [2] never use an email address that you don't have a right to use. If you don't own an address or have explicit permission to use it, you shouldn't use it. Once an address is harvested you can never get it back, it's better to be cautious. I have an address that was harvested off a friend's computer by a virus over 8 years ago, and it's now worked it's way onto several spam lists.

If you want to use a munged address for newsgroups the first thing you have to decide is whether or not you want people to be able to contact you by email. If you don't, then use a truly invalid address. If you do, use a disposable address. You can start with a disposable address and use the principles of creating an invalid address to make a munged address. A munged address is one that is invalid as presented, but can be modified to become valid. The reason for starting with a disposable address is so that you can dump it and get a new one if it gets more spam than you're comfortable with. Bear in mind that a munged address is going to cut down on legitimate responses from people who can't be bothered to unmunge it to do you a favor. If you do decide mung, please be sure to explain how to unmung it. Don't assume it will be obvious, what's obvious to you may not be obvious to others. As one example some people use legitimate addresses that look like they're munged, but they're not. Assuming can be dangerous.

This page primarily applies to Usenet. But it can be used on private news servers since they are often harvested by spammers too. Also be aware that many mailing lists end up archived on a web page, where your address can be vulnerable to harvesting, although most I've seen now conceal the addresses. Most web forums that I've looked at allow you to hide your address, so they're somewhat safer, assuming they've done it correctly. I recommend using the same techniques there if possible just to be safe.

To avoid generating spam myself from addresses on this page, I'll use the RFC 2606 compliant domain example.com in my examples. Substitute your ISP or whichever domain you are entitled to use for example.com. I apologize for any confusion that may cause, but it's all about not generating any more spam.

Keep in mind that spam bots will harvest Message-IDs since they contain an @ symbol. If your news reader generates it's own MIDs (Outlook Express among others does not) you want to set that to also use a truly invalid domain if you can. The same methods can apply.

There may be as many as three fields to use these methods on:

• The From line. Always use a munged or invalid address here. This is what spammers harvest the most because the process has the lowest overhead for them.
• The Reply To line. This is currently seldom harvested by spammers. At least so far. But since many posts are archived and will be available later, spammers could change their methods and harvest addresses that were used years before. This is the ideal place to use a disposable address. Almost all newsreaders will properly use this address when someone tries to reply by email to a post that you've made. There is no point in using invalid addresses in both fields. If one of them won't be usable just leave the Reply To blank.
• The Message-ID line. This is harvested because it contains an '@' symbol. No one will ever use it for legitimate email, so if you have control over this in your news reader, use an invalid domain here.

Note that these instructions should only be used for news posts, you don't want to mung addresses in email since they aren't exposed to the same spamming risks and you almost certainly want an email response.

Munged Addresses

Munged addresses and invalid addresses are done the same way, but the base address that you start with is different. For a munged address you need to start with a valid address.

When creating a munged address it's important to use one that won't impact someone else. Not only is it rude, it probably violates the TOS of your internet provider. You don't want to use an address that belongs, or may ever belong, to someone else unless you have permission to do so. And remember that just because an address doesn't exist today doesn't mean it won't exist tomorrow, or next year. That includes currently non-existent Top Level Domains (TLDs). Several years ago who would have expected .tv to become a valid TLD? The only truly safe invalid TLD to use is .invalid. See RFC 2606. Note that "invalid" must be after the last dot as in foo@example.invalid. If you use an address that is even partly valid, it can cause spam to be generated for the actual owner of that address or domain. Some domains on the internet are unusable for email because so many people have used them as improper spam mungs. Some examples are nospam.com, noemail.com, invalid.com and invalid.net. I'm deliberately not linking to any of those sites since the original owners apparently gave them up and they've been taken over by search portals or worse. Which just shows how much traffic they get. But those are all valid domains, so they're not acceptable to use in address munging.

To create a munged address you need to start with your own (preferably disposable) address, foo@example.com. It's generally considered to be acceptable to use foo@example.com.invalid or foo@example.invalid because any spam sent to those addresses (spam bots are stupid) will not go anywhere. Although the spammers may take foo@example.com.invalid, strip off the .invalid and start sending spam to foo@example.com. Or in the second case they could send to foo at example.com, example.net, example.org etc., so that's not optimal in my opinion. That's the problem with using any sort of common mung, the spammers can adapt to it. Be sure to include instructions on how to make the address usable, don't assume that it's obvious, people use some very odd but real addresses. Keep in mind that if you put the instructions in your sig, they'll be removed when someone using a compliant news reader replies to your message.

It's not OK to use:

• foo@deleteexamplespam.com or any other variation of an existing, valid domain name. There is simply no way to guarantee that someone won't want that domain someday. If so, they will get your spam.

• foo@nospam.example.com because the example.com part is valid and spam could be sent to the servers at example.com.
• foo.nospam@example.com because spam will be sent to the servers at example.com. And someone may even end up using that name. There's a reason for that: some worms that harvest email addresses avoid addresses with "nospam" in them, so some clueful people on Usenet use addresses containing that phrase.
• foo.delete@example.com or foo@delete.example.com for the same reasons as above.
• foo@example.com where that's a valid address and anything other than your own address. So you can't use microsoft.com no matter how much you dislike them. Or linux.org, or domains like nospam.com or spammerssuck.com or anything else that seems amusing, or insulting to spammers, or cute, because they are or could be valid domains. If the address is routeable over the internet, it will get spammed. Even if the foo part is not an actual address, the spam will still go to the servers for that domain and they have to deal with it. And it just clogs up the internet. Please note that privacy.net used to allow people to use "me" at their domain and then any email to that address would bounce with a note explaining that it wasn't a real address. However it appears that owners/policies at the domain have changed, and that's no longer explicitly permitted, which means you shouldn't do it.

Also, if you're going to mung your address, and then include instructions on how to contact you, please make them match. Some people's instructions say something like "Remove 'don't spam' and change 'invalid' to 'com' in my From to contact me". but if you look at the From it says something like "nospam.invalid.invalid". Obviously they changed one and not the other. If you want contact, make it easy for them. Otherwise just make it impossible, nobody wants to have to guess if an address will work. Besides which, if a reader is thinking about contacting someone privately to tell them about something embarrassing that they may have posted accidentally, they're much less likely to do it if they have to jump through a bunch of hoops. If the instructions say something like "remove every third character to get my real address" I know that I'll never bother to try.

Invalid Addresses

If you really don't want to get email, use a really invalid address like foo@invalid.invalid, nospam@invalid.invalid or invalid@invalid.invalid. foo@[127.0.0.1] or foo@localhost also work because if someone sends spam to them, they don't leave the sending computer. If it's going to be really be invalid, no part of it should contain anything usable because some spammers will make "corrections" and send spam anyway. However some newsreaders won't accept an address that doesn't have the correct syntax. And some others may not display it the way that you intended. And see above for examples of types of supposedly invalid addresses not to use.

Disposable Addresses

• One choice is to use a site that offers disposable addresses. I've used Sneakemail for years. They used to have free and paid services but now only have paid accounts. However $2/month is pretty cheap and they are useful for much more than a newsgroup address. It's a great place to get an address to use when you have to register for something. I also use Spamgourmet.com which is totally free has been recommended by others too. The two services work slightly differently, so pick something that fits your needs. There are other sites providing similar services. I can't vouch for anything that that link turns up, Sneakemail and Spamgourmet are the only ones I've used personally.
• If you have your own domain, or if your ISP allows you multiple addresses, create one just for newsgroups. Confirm that you'll have the ability to dump that address if you need to. If you want to really keep an eye on things, create a different one for different newsgroups or servers. That way you can determine where it gets harvested and how long it takes, if you care.
• One simple solution is to create an address like newsJan05@example.com. If it gets spammed after a few months, stop accepting mail to that address and create newsJul05@example.com, or any other naming convention that makes sense to you.
• Many people advise creating an address that contains the phrase "nospam" or "delete", like foodelete@example.com, since at least some worms won't send themselves to addresses containing those words. Make sure that phrase is on the correct side of the @ when you use it. Remember, it's a working address. The correct side in this case [unless you can create subdomains for your domain] is the left side of the @. foodelete@example.com would go to foodelete at example.com, so if that's you, that's the way you want to create the disposable address. foo@deleteexample.com would go to foo at deleteexample.com, which wouldn't work unless that's your domain. foo@delete.example.com would probably route to example.com, but most likely wouldn't get to you unless you have control over sub-domains. You may want to include a comment in your sig that the address is valid 'as is' to avoid confusion.

Bottom line, if you're going to break an email address to avoid having it harvested for spam, break it in a way that won't cause spam for someone else. If you're going to use a real address, do it right and you can minimize your spam exposure.

A couple of final thoughts. Never bounce spam. Most From addresses in spam are forged, so there's no point in sending bounces there. They'll either go nowhere in the case of an invalid address, or to an innocent 3rd party if the forged address happens to belong to someone. I know of people who have received tens of thousands of bounces for spam that they didn't send. If you'd like to report your spam and help clean up the internet, you can use Spamcop for free.

For more details on some of this you can also check my section on spam avoidance.

The best FAQ on address munging that I have found was last updated August 8, 1999 and is somewhat out of date. But it's much more comprehensive and technical than what I have here. And I blatantly copied my disclaimer from that FAQ. There's more information on address munging at Wikipedia. Keep in mind that munging (or disguising) an address has some disadvantages. At best, munging an address is inconvenient for someone who wants or needs to contact you. At worst, it's unusable. I prefer a combination of invalid and disposable addresses.

Not everybody agrees that munging is a good idea, some people do not like munging at all. Personally, I prefer an invalid From, and a valid (but disposable) Reply To address.

And in case you're interested, it is spelled either mung or munge. Both have a history and both are perceived as correct by at least some people. A good case can be made for both, but for some reason I started this page with mung, and I've decided to keep it that way for consistency.

Keep in mind that I am not responsible for any external sites linked to from my pages. They may look different to you, or even have effects on your browser or computer that are different than what I see due to different security settings and browsers. They could have also changed since I looked at them. To the best of my knowledge, they are all safe. But you surf at your own risk.

This document reflects the opinions of the author. This document is provided "as is" without any express or implied warranties. While every effort has been taken to ensure the accuracy of the information contained in this article, the author/maintainer and/or contributors assume(s) no responsibility for errors or omissions, or for damages resulting from the use of the information contained herein.

The only information that I collect is page hit counts. My web host Penguinhost.net keeps track of lots of things and makes the information available to me in pretty graphs and logs. I look at them occasionally, but there is no personally identifiable information there.

Validated by HTML Validator (based on Tidy)