Yes, my suggestion is to use a catchall address but to contain it to a specific subdomain rather than to the root domain, which would then be vulnerable to dictionary attacks sent to sales, webmaster, etc.

Doing this also helps track down the source of infected messages.

JavaScript To Hide Your Email Address

Here's an easy way to hide an email address on a web page. Use JavaScript to dynamically build the mailto link. Doing it this way breaks up the email address into variables and "hides" it so that it's not displayed in its entirety on the web page or in the page code. This prevents the harvesting spiders from seeing it as an email address -- if they can't find it, they can't harvest it. Some may say a drawback to this strategy is the email address isn't spelled out on the page, but then that's the whole idea behind doing it this way. Hey, it ain't the be-all, end-all to email harvesters, but it'll certainly slow 'em down. 

Just put the JavaScript code (see below) into your html page where you want your email link to appear and customize it with your email address info.

In the JavaScript sample below, replace "myemail" with your email account name, and replace "somedomain.com" with your domain name. The subjecttext variable can be used to automatically fill in the email's subject line if you want. Or, if you'd rather leave the subject line blank and let the user fill it in, just don't put anything in that variable. (More about this a bit later.)

Here's the script:

<script language="javascript">
<!-- hide from older browsers
  var username = "myemail";
  var hostname = "somedomain.com";
  var subjecttext = "Subject%20Text%20Here";
  var linktext = "Email Me";
  document.write("<a href=" + "mail" + "to:" + username +
     "@" + hostname + "?subject=" + subjecttext + ">" + linktext + "</a>")
//-->
</script>

Here's an example:

Let's say your email address is susanjones@susansgreatwebsite.com.
Also, let's say when someone sends you an email by clicking the link on your web page you'd like for the subject line to read "A Message To Susan From The Web Site".

In the script below let's change the variables -- those parts in quotes -- and customize it to Susan's email address:

• Change "myemail" to "susanjones" -- Yes, you must use the quote marks, and you must leave the semi-colon at the end of each line.
• Change "somedomain.com" to "susansgreatwebsite.com"
• Change "Subject%20Text%20Here" to "A%20Message%20To%20Susan%20From%20The%20Web%20Site" -- We'll come back to those %20 things . . just hang on.
• Finally, change "Email Me" to "Email Susan" -- or leave it as Email Me if that works for you. This is the text for the clickable link that will appear on the web page.
• Don't mess with the document.write part. That's the part that takes all the variables and puts them together when someone clicks the 'Email Me' link.

Now, about those %20 things in the subject line -- they will be converted to spaces when that line of text is put into the subject line of the email message. So, if your subject line has spaces in it -- which most will -- be sure to put %20 every place you want a space to appear. (It's a JavaScript thing.) And, be sure you don't accidentally enter a real space (don't hit that spacebar!) when you're typing the subject line. If you have actual spaces in the line it won't work.

As mentioned above, if you don't want to specify a subject line just delete the text inside the quote marks, which will effectively put nothing in the subject line. Don't delete the subjecttext line out of the code. Deleting it will "break" the script. Just do it this way:  var subjecttext = "";

Finally, what you'll see on your web page is a clickable link -- a hyperlink -- that says:  Email Susan.  When a visitor to your web site clicks the link it will open an email window addressed to susanjones@susansgreatwebsite.com, with a subject of A Message To Susan From The Web Site.

And, the best part is those nasty email harvesting spiders won't be able to figure it out! 

I have just moved my domain to Lunarpages. I have enabled Spam Box, but I am unsure how to proceed in setting it up. I use Outlook 2000. Advice would be most appreciated.

H3

I have SpamAssassin setup to add [**SPAM**] to the subject of emails then deliver them as usual. Then in the email client I have a filter setup to automatically move emails with that in the subject to a junk mail folder. I can then go through and review them (basically looking at who they are from and the subject) to make sure nothing got flagged incorrectly. So far, I haven't had any problems... except an email newsletter which has a score around 120, which I added to my whitelist to avoid having it flagged... just another option...

what i do is setup a forwarder to my main address for each time i do business with whoever. then, if i start getting spamed on one of those forwarded addys i just delete it. sounds simple (and it is) but it works for me.  oh bye the way. the setting on the default address should be set to :fail: not :blackhole: blackhole can cause problems. jmho 

This may be a bit lengthy, but please bear with me.

I started to have a flood of “bounced” emails appear on catch-all email account a few weeks ago. They were all returned to non-existent addresses on my domain. When I carefully opened at a few of the original messages, they were obviously spam sent to what appeared to be legitimate addresses from what appeared to be non-existent addresses on my domain. The non-existent addresses were 3-6 random characters long.

I immediately changed all of the passwords on my domain and email accounts, but the bounces continued.

Digging deeper, I reviewed the prior email in my catch-all account. I found a pattern of emails from about a week before the flood of bounces. I had received about 10 emails to the non-existent account thisisjusttestmessageatall@<my domain>.com over a 12 hour period. Each one claimed to be from a different, seemingly legitimate email addresses. Each message was received and no responses or bounce notices were sent. When I carefully opened them, each one contained 3 short lines of random phrases.

A few weeks before that, I transferred my stealthed domain account from another registrar to LP (still stealthed ). I do not mean imply any link, but I do not rule it out either and I include the info in case it’s useful to anybody else.

I use a combination of methods to avoid spam and track who has which of my email addresses and the catch-all account helped. Having the continuous flood of bounced emails is not acceptable.

Perhaps worse, it appears that someone is claiming to be originating spam from my domain. That is not acceptable either.

What happened? (fact mixed with theory)
1) My registrar change got logged someplace public. I don’t know where.
2) A spammer harvested the domain name from the public place.
3) The spammer probed the domain looking for a catch-all account using: thisisjusttestmessageatall@<my domain>.com.
4) When the emails did not bounce after about 5 days (the probe requires the delay due to the way mailers work), the spammer had a domain with a catch-all account.
5) Spam was generated with doctored headers to appear to come from my domain.

What did I do?
1) I changed my catch-all account to :fail: to deny future probes and to end the bounce flood.
2) I changed part of my email strategy to include forwarders.
3) I started using SpamAssassin (probably won't  help in this case)

Is this chance or did I cause an issue for LP? A couple days after I made my changes, I get a notice from LP that they are moving my account to another server.

Kudos to:
I theorize that catch-all accounts are valuable to spammers because it is more difficult to verify if an email account exists or not. This allows spammers to evade filter services that check for the validity of the return address (Comments? Is this premise reasonable?).

Kudos to:
(I assume “default” was intended to be “catch-all”)
and lemons to
From the probe’s point of view, a catch-all blackhole is the same as email received.

Does any of this make sense?

I'm not sure what the intent of the test probes would have been. Maybe to try to locate a valid email address at your domain in order to make the spoofs look more real.

However it looks like your basic problem is that someone is sending spam to others using a forged return address that appears to be from your domain. This is easy to do, and there is nothing you can do to stop them. They didn't have to do the probes to accomplish this, and you weren't hacked, if that was a concern. They're just making up xxx yyy zzz addresses @yourdomain.com and using those as the From: lines. When the intended recipients of the spam also turn out to be nonexistent addresses, or if the emails are refused by the servers, the bounce notices get sent back to you. There is nothing you can do about this, and nothing Lunarpages can do about it, either.

Although you track who has each of your legitimate email addresses, remember that people can send spam to any made-up addressee at your domain. Just because you receive spam doesn't mean that your address has leaked out. You could only infer a leak if you got mail to a non-obvious legitimate email account that wasn't publicly known.

Search these forums for "SPF record". (It's "sender policy framework".) That would at least allow you to publicly state who is authorized to send mail on behalf of your domain. However, not many mail servers check SPF records, so it might not help much. It would show that you're aware of the problem and trying to do something about it, though.

The necessity for a change of server was probably due to some other cause, which you should investigate thoroughly. The email mods you described wouldn't cause a problem, but if your site is causing other issues, take the change of server as a serious warning that there is something you must fix quickly.