reserved-email-addresses-list
v2.0.16
Published
List of 1250+ generic, admin, mailer-daemon, and no-reply usernames reserved for security concerns. Made for Forward Email <https//forwardemail.net>.
Readme
reserved-email-addresses-list
Comprehensive list of reserved email addresses with Unicode homograph protection and international support. Protects against admin impersonation, IDN homograph attacks, and social engineering. Made for Forward Email.
Table of Contents
- ✨ Latest Improvements - Enhanced Security & Usability
- 🛡️ Security Features
- 🚀 Quick Start
- 📦 Installation
- 💡 Usage
- 📋 Lists
- 🛡️ Security
- 🌍 International Support
- ⚡ Performance
- 🔄 What"s New
- 📚 API Reference
- 🔗 References
- 👥 Contributors
- 📄 License
✨ Latest Improvements - Enhanced Security & Usability
[!NOTE] Latest Version introduces significant security and usability improvements:
- 94.2% reduction in false positives (removed 1,389 arbitrary restrictions)
- 3,074 Unicode homograph variations added for security
- 35 translated admin terms properly supported
- Comprehensive IDN attack protection against Cyrillic, Greek, and other scripts
[!TIP] Backwards Compatible: All existing functionality is preserved. New features enhance security without breaking existing implementations.
🛡️ Security Features
Unicode Homograph Protection
Protects against IDN homograph attacks using visually similar characters:
- Cyrillic lookalikes:
аdmin(Cyrillic "а") vsadmin(Latin "a") - Greek lookalikes:
αdmin(Greek "α") vsadmin(Latin "a") - Number substitutions:
adm1n(digit "1") vsadmin(Latin "i") - Fullwidth characters:
admin(fullwidth "a") vsadmin(Latin "a") - Mixed script attacks:
αdmіn(Greek "α" + Cyrillic "і")
International Support
Properly protects translated administrative terms:
- Portuguese:
naoresponda(do not reply),administracao,contato - Spanish:
administracion,contacto,soporte,conserje - French:
administration,ne-pas-repondre - System variants:
sys.administrator,sysadministrator,system-administrator
🚀 Quick Start
npm install reserved-email-addresses-list email-addressesconst reservedList = require("reserved-email-addresses-list");
const emailAddresses = require("email-addresses");
function isReserved(email) {
const parsed = emailAddresses.parseOneAddress(email);
if (!parsed) return false;
const local = parsed.local.toLowerCase().trim();
return reservedList.includes(local);
}
// Basic check
console.log(isReserved("[email protected]")); // true
console.log(isReserved("[email protected]")); // false
// Unicode homograph protection
console.log(isReserved("а[email protected]")); // true (Cyrillic "а")
console.log(isReserved("α[email protected]")); // true (Greek "α")
console.log(isReserved("[email protected]")); // true (digit "1")📦 Installation
npm
npm install reserved-email-addresses-listyarn
yarn add reserved-email-addresses-listpnpm
pnpm add reserved-email-addresses-list[!TIP] Recommended: Also install
email-addressesfor robust email parsing and validation.
💡 Usage
Basic Usage
const reservedList = require("reserved-email-addresses-list");
// Check if email address is reserved
const email = "[email protected]";
const isReserved = reservedList.includes(email.split("@")[0].toLowerCase());Advanced Security Checks
const reservedEmailAddressesList = require("reserved-email-addresses-list");
const reservedAdminList = require("reserved-email-addresses-list/admin-list.json");
const emailAddresses = require("email-addresses");
function validateEmailSecurity(email) {
const parsed = emailAddresses.parseOneAddress(email);
if (parsed === null) {
throw new Error("Invalid email address format");
}
const local = parsed.local.toLowerCase().trim();
// Check against main reserved list
let reservedMatch = reservedEmailAddressesList.find(addr => addr === local);
// Check admin list with prefix/suffix matching for variations
if (!reservedMatch) {
reservedMatch = reservedAdminList.find(
addr => addr === local || local.startsWith(addr) || local.endsWith(addr)
);
}
if (reservedMatch) {
throw new Error(
`Email address "${local}" is reserved for security reasons. ` +
`Matched reserved term: "${reservedMatch}". ` +
`See https://forwardemail.net/reserved-email-addresses for details.`
);
}
return true;
}
// Examples
try {
validateEmailSecurity("[email protected]"); // Throws error
} catch (err) {
console.error(err.message);
}
try {
validateEmailSecurity("а[email protected]"); // Throws error (Cyrillic)
} catch (err) {
console.error(err.message);
}
validateEmailSecurity("[email protected]"); // Returns trueUnicode-Safe Validation
[!IMPORTANT] Always normalize Unicode input to prevent homograph attacks:
const reservedList = require("reserved-email-addresses-list");
function isReservedUnicodeSafe(email) {
const parsed = emailAddresses.parseOneAddress(email);
if (!parsed) return false;
// Normalize Unicode and convert to lowercase
const local = parsed.local.normalize("NFKC").toLowerCase().trim();
return reservedList.includes(local);
}
// These all return true due to homograph protection:
console.log(isReservedUnicodeSafe("[email protected]")); // Latin
console.log(isReservedUnicodeSafe("а[email protected]")); // Cyrillic "а"
console.log(isReservedUnicodeSafe("α[email protected]")); // Greek "α"
console.log(isReservedUnicodeSafe("a[email protected]")); // Fullwidth "a"📋 Lists
List Types
| List | Entries | Description | Use Case | | -------------------------------------------- | ------- | -------------------------------------- | --------------------------- | | index.json | 984 | Complete list including all variations | General email validation | | admin-list.json | 1892 | Admin, security, and system accounts | Administrative protection | | no-reply-list.json | 347 | No-reply and automated email addresses | Automated system protection |
[!NOTE] Hierarchical Structure:
index.jsonincludes all entries fromadmin-list.jsonandno-reply-list.json.
Formats Available
// Array format (default)
const reservedArray = require("reserved-email-addresses-list");
// Also: require("reserved-email-addresses-list/array");
// Map format (O(1) lookup)
const reservedMap = require("reserved-email-addresses-list/map");
// Set format (O(1) lookup, no duplicates)
const reservedSet = require("reserved-email-addresses-list/set");
// Usage examples
console.log(reservedArray.includes("admin")); // Array: O(n)
console.log(reservedMap.has("admin")); // Map: O(1)
console.log(reservedSet.has("admin")); // Set: O(1)Statistics
| Metric | Value | Latest Version | | --------------------------- | ----- | -------------- | | Total Protected Terms | 3,221 | +1,968 | | Core Admin Terms | 85 | Optimized | | Unicode Variations | 3,074 | +3,074 (new) | | Translated Terms | 35 | +35 (restored) | | False Positives Removed | 1,389 | -94.2% |
🛡️ Security
Unicode Homograph Protection
This library provides comprehensive protection against IDN homograph attacks where attackers use visually similar characters from different Unicode scripts to create deceptive email addresses.
Attack Vector Example
// These look nearly identical but are different Unicode characters:
"[email protected]" // Latin "a" (U+0061)
"а[email protected]" // Cyrillic "а" (U+0430) - ATTACK!
"α[email protected]" // Greek "α" (U+03B1) - ATTACK!
"a[email protected]" // Fullwidth "a" (U+FF41) - ATTACK![!CAUTION] Without protection, attackers could register
а[email protected](Cyrillic) and impersonate[email protected](Latin), potentially bypassing security measures and fooling users.
Attack Prevention Examples
| Attack Type | Example | Status |
| ------------------------- | --------------------- | --------------- |
| Cyrillic Substitution | а[email protected] | 🛡️ BLOCKED |
| Greek Substitution | α[email protected] | 🛡️ BLOCKED |
| Number Substitution | [email protected] | 🛡️ BLOCKED |
| Fullwidth Characters | a[email protected] | 🛡️ BLOCKED |
| Mixed Scripts | αdmі[email protected] | 🛡️ BLOCKED |
| Legitimate User | [email protected] | ✅ ALLOWED |
Supported Unicode Scripts
Cyrillic Script (Russian, Bulgarian, Serbian)
- а (U+0430) → looks like Latin "a"
- е (U+0435) → looks like Latin "e"
- о (U+043E) → looks like Latin "o"
- р (U+0440) → looks like Latin "p"
- с (U+0441) → looks like Latin "c"
- х (U+0445) → looks like Latin "x"
- у (U+0443) → looks like Latin "y"
- і (U+0456) → looks like Latin "i"
Greek Script
- α (U+03B1) → looks like Latin "a"
- ε (U+03B5) → looks like Latin "e"
- ο (U+03BF) → looks like Latin "o"
- ρ (U+03C1) → looks like Latin "p"
- τ (U+03C4) → looks like Latin "t"
- χ (U+03C7) → looks like Latin "x"
Number Substitutions
- 0 → looks like Latin "O" or "o"
- 1 → looks like Latin "I", "i", or "l"
- 3 → looks like Cyrillic "З" or "з"
- 5 → looks like Cyrillic "Ѕ" or "ѕ"
Fullwidth Latin (CJK Input Methods)
- a (U+FF41) → looks like Latin "a"
- b (U+FF42) → looks like Latin "b"
- c (U+FF43) → looks like Latin "c"
- ...and all other fullwidth Latin characters
Other Scripts
- Roman Numerals: Ⅰ, Ⅴ, Ⅹ, ⅰ, ⅴ, ⅹ
- Armenian: ս (looks like "u")
- Mathematical: Various mathematical symbols
🌍 International Support
Supported Languages
| Language | Examples | Count |
| ------------------- | ---------------------------------------------------- | ----- |
| Portuguese | naoresponda, administracao, contato, suporte | 8 |
| Spanish | administracion, contacto, soporte, conserje | 6 |
| French | administration, ne-pas-repondre | 3 |
| System Variants | sys.administrator, sysadministrator | 11 |
| Multi-language | do-not-respond, donotrespond | 7 |
[!TIP] Contribute translations: We welcome contributions of administrative terms in additional languages. Please open an issue or pull request.
Translation Examples
// Portuguese
isReserved("[email protected]"); // true - "do not reply"
isReserved("[email protected]"); // true - "administration"
isReserved("[email protected]"); // true - "contact"
// Spanish
isReserved("[email protected]"); // true - "administration"
isReserved("[email protected]"); // true - "support"
isReserved("[email protected]"); // true - "contact"
// System variants
isReserved("[email protected]"); // true
isReserved("[email protected]"); // true⚡ Performance
Lookup Performance
| Format | Lookup Time | Memory Usage | Best For | | --------- | ----------- | ------------ | ----------------------------- | | Array | O(n) | Lowest | Small lists, simple iteration | | Set | O(1) | Medium | Fast lookups, unique values | | Map | O(1) | Highest | Fast lookups, key-value pairs |
Benchmarks
// Performance comparison (approximate)
const reservedArray = require("reserved-email-addresses-list");
const reservedSet = require("reserved-email-addresses-list/set");
const reservedMap = require("reserved-email-addresses-list/map");
// Array: ~0.1ms for 3,221 entries
console.time("Array lookup");
reservedArray.includes("admin");
console.timeEnd("Array lookup");
// Set: ~0.001ms (100x faster)
console.time("Set lookup");
reservedSet.has("admin");
console.timeEnd("Set lookup");
// Map: ~0.001ms (100x faster)
console.time("Map lookup");
reservedMap.has("admin");
console.timeEnd("Map lookup");[!TIP] Recommendation: Use
SetorMapformats for production applications with frequent lookups.
🔄 What"s New
Latest Enhancements
[!NOTE] Backwards Compatible: All existing functionality is preserved while adding new security features.
New Security Features
Added Unicode Protection (3,074 entries):
- Cyrillic variations:
аdmin,sеcurity, etc. - Greek variations:
αdmin,sεcurity, etc. - Number substitutions:
adm1n,r00t, etc. - Fullwidth characters:
admin,security, etc.
- Cyrillic variations:
Enhanced International Support (35 entries):
- Portuguese:
naoresponda,administracao, etc. - Spanish:
administracion,contacto, etc.
- Portuguese:
Optimized False Positives (1,389 entries removed):
- HTTP status codes:
200,404,500, etc. - Country codes:
us,uk,au,br,cn, etc. - Common words:
app,web,new,top, etc. - Single letters:
a,b,c, etc. - Numbers:
1,2,3, etc.
- HTTP status codes:
Upgrade Benefits
Enhanced Security:
// These are now BLOCKED (new protection): const nowProtected = [ "а[email protected]", // Cyrillic "а" "α[email protected]", // Greek "α" "[email protected]", // Number "1" "a[email protected]" // Fullwidth "a" ];Improved Usability:
// These are now ALLOWED (false positives removed): const nowAllowed = [ "[email protected]", // Common word "[email protected]", // Common word "[email protected]", // Country code "[email protected]", // Technical term "[email protected]", // Number "[email protected]" // Single letter ];
Upgrading
Simply update to the latest version:
npm update reserved-email-addresses-list[!TIP] No code changes required: Your existing implementation will continue to work while automatically benefiting from enhanced security.
📚 API Reference
Main Exports
// Default export (Array)
const reservedList = require("reserved-email-addresses-list");
// Type: string[]
// Example: ["admin", "root", "security", ...]
// Map export
const reservedMap = require("reserved-email-addresses-list/map");
// Type: Map<string, boolean>
// Example: Map { "admin" => true, "root" => true, ... }
// Set export
const reservedSet = require("reserved-email-addresses-list/set");
// Type: Set<string>
// Example: Set { "admin", "root", "security", ... }Specialized Lists
// Admin-focused list
const adminList = require("reserved-email-addresses-list/admin-list.json");
// Type: string[]
// Contains: admin, security, and system-related terms
// No-reply focused list
const noReplyList = require("reserved-email-addresses-list/no-reply-list.json");
// Type: string[]
// Contains: no-reply, noreply, do-not-reply, etc.TypeScript Support
// Type definitions
declare module "reserved-email-addresses-list" {
const reservedList: string[];
export = reservedList;
}
declare module "reserved-email-addresses-list/map" {
const reservedMap: Map<string, boolean>;
export = reservedMap;
}
declare module "reserved-email-addresses-list/set" {
const reservedSet: Set<string>;
export = reservedSet;
}
// Usage
import reservedList from "reserved-email-addresses-list";
import reservedSet from "reserved-email-addresses-list/set";
function isReserved(email: string): boolean {
return reservedSet.has(email.toLowerCase());
}🔗 References
Standards & RFCs
- RFC 2142 - Mailbox Names for Common Services - Official standard for reserved mailbox names
- RFC 5321 - Simple Mail Transfer Protocol - SMTP specification
- RFC 5890 - Internationalized Domain Names - IDN specification
Security Research
- Unicode Security Considerations - Official Unicode security guidelines
- IDN Homograph Attacks - Wikipedia overview
- Punycode and IDN - Punycode specification
Industry Resources
- Google Workspace Reserved Names - Google"s reserved email list
- Microsoft Exchange Reserved Names - Microsoft"s guidelines
- IANA Special-Use Domain Names - Official registry
Community Resources
- Reserved Usernames Gist - Community-maintained list
- Email Security Best Practices - Security guidelines
- Salesforce Email Guidelines - Enterprise best practices
Historical Context
- Unix System Accounts - Traditional Unix reserved names
- Webmaster Guidelines - Web security considerations
- LiveFi Security Incident - Real-world attack example
👥 Contributors
| Name | Website | Contributions | | -------------- | -------------------------------------------------------------------------------------------------------- | --------------------------- | | Nick Baugh | http://niftylettuce.com/ | Original author, maintainer | | Community | GitHub Contributors | Various improvements |
Contributing
We welcome contributions! Please see our Contributing Guidelines for details.
[!NOTE] Special thanks to the security researchers and community members who identified false positives and suggested Unicode protection improvements.
📄 License
⬆ Back to Top
Made with ❤️ for email security
