List of 1250+ generic, admin, mailer-daemon, and no-reply usernames reserved for security concerns. Made for Forward Email <https//forwardemail.net>.
npm install reserved-email-addresses-list
> Comprehensive list of reserved email addresses with Unicode homograph protection and international support. Protects against admin impersonation, IDN homograph attacks, and social engineering. Made for Forward Email.
* ✨ Latest Improvements - Enhanced Security & Usability
* 🛡️ Security Features
* Unicode Homograph Protection
* International Support
* 🚀 Quick Start
* 📦 Installation
* npm
* yarn
* pnpm
* 💡 Usage
* Basic Usage
* Advanced Security Checks
* Unicode-Safe Validation
* 📋 Lists
* List Types
* Formats Available
* Statistics
* 🛡️ Security
* Unicode Homograph Protection
* Attack Prevention Examples
* Supported Unicode Scripts
* 🌍 International Support
* Supported Languages
* Translation Examples
* ⚡ Performance
* Lookup Performance
* Benchmarks
* 🔄 What"s New
* Latest Enhancements
* Upgrading
* 📚 API Reference
* Main Exports
* Specialized Lists
* TypeScript Support
* 🔗 References
* Standards & RFCs
* Security Research
* Industry Resources
* Community Resources
* Historical Context
* 👥 Contributors
* Contributing
* 📄 License
> \[!NOTE]
> Latest Version introduces significant security and usability improvements:
>
> * 94.2% reduction in false positives (removed 1,389 arbitrary restrictions)
> * 3,074 Unicode homograph variations added for security
> * 35 translated admin terms properly supported
> * Comprehensive IDN attack protection against Cyrillic, Greek, and other scripts
> \[!TIP]
> Backwards Compatible: All existing functionality is preserved. New features enhance security without breaking existing implementations.
Protects against IDN homograph attacks using visually similar characters:
* Cyrillic lookalikes: аdmin (Cyrillic "а") vs admin (Latin "a")
* Greek lookalikes: αdmin (Greek "α") vs admin (Latin "a")
* Number substitutions: adm1n (digit "1") vs admin (Latin "i")
* Fullwidth characters: admin (fullwidth "a") vs admin (Latin "a")
* Mixed script attacks: αdmіn (Greek "α" + Cyrillic "і")
Properly protects translated administrative terms:
* Portuguese: naoresponda (do not reply), administracao, contato
* Spanish: administracion, contacto, soporte, conserje
* French: administration, ne-pas-repondre
* System variants: sys.administrator, sysadministrator, system-administrator
``bash`
npm install reserved-email-addresses-list email-addresses
`js
const reservedList = require("reserved-email-addresses-list");
const emailAddresses = require("email-addresses");
function isReserved(email) {
const parsed = emailAddresses.parseOneAddress(email);
if (!parsed) return false;
const local = parsed.local.toLowerCase().trim();
return reservedList.includes(local);
}
// Basic check
console.log(isReserved("admin@example.com")); // true
console.log(isReserved("user123@example.com")); // false
// Unicode homograph protection
console.log(isReserved("аdmin@example.com")); // true (Cyrillic "а")
console.log(isReserved("αdmin@example.com")); // true (Greek "α")
console.log(isReserved("adm1n@example.com")); // true (digit "1")
`
`bash`
npm install reserved-email-addresses-list
`bash`
yarn add reserved-email-addresses-list
`bash`
pnpm add reserved-email-addresses-list
> \[!TIP]
> Recommended: Also install email-addresses for robust email parsing and validation.
`js
const reservedList = require("reserved-email-addresses-list");
// Check if email address is reserved
const email = "admin@example.com";
const isReserved = reservedList.includes(email.split("@")[0].toLowerCase());
`
`js
const reservedEmailAddressesList = require("reserved-email-addresses-list");
const reservedAdminList = require("reserved-email-addresses-list/admin-list.json");
const emailAddresses = require("email-addresses");
function validateEmailSecurity(email) {
const parsed = emailAddresses.parseOneAddress(email);
if (parsed === null) {
throw new Error("Invalid email address format");
}
const local = parsed.local.toLowerCase().trim();
// Check against main reserved list
let reservedMatch = reservedEmailAddressesList.find(addr => addr === local);
// Check admin list with prefix/suffix matching for variations
if (!reservedMatch) {
reservedMatch = reservedAdminList.find(
addr => addr === local || local.startsWith(addr) || local.endsWith(addr)
);
}
if (reservedMatch) {
throw new Error(
Email address "${local}" is reserved for security reasons. +Matched reserved term: "${reservedMatch}".
+See https://forwardemail.net/reserved-email-addresses for details.
);
}
return true;
}
// Examples
try {
validateEmailSecurity("admin@example.com"); // Throws error
} catch (err) {
console.error(err.message);
}
try {
validateEmailSecurity("аdmin@example.com"); // Throws error (Cyrillic)
} catch (err) {
console.error(err.message);
}
validateEmailSecurity("user123@example.com"); // Returns true
`
> \[!IMPORTANT]
> Always normalize Unicode input to prevent homograph attacks:
`js
const reservedList = require("reserved-email-addresses-list");
function isReservedUnicodeSafe(email) {
const parsed = emailAddresses.parseOneAddress(email);
if (!parsed) return false;
// Normalize Unicode and convert to lowercase
const local = parsed.local.normalize("NFKC").toLowerCase().trim();
return reservedList.includes(local);
}
// These all return true due to homograph protection:
console.log(isReservedUnicodeSafe("admin@example.com")); // Latin
console.log(isReservedUnicodeSafe("аdmin@example.com")); // Cyrillic "а"
console.log(isReservedUnicodeSafe("αdmin@example.com")); // Greek "α"
console.log(isReservedUnicodeSafe("admin@example.com")); // Fullwidth "a"
`
| List | Entries | Description | Use Case |
| -------------------------------------------- | ------- | -------------------------------------- | --------------------------- |
| index.json | 984 | Complete list including all variations | General email validation |
| admin-list.json | 1892 | Admin, security, and system accounts | Administrative protection |
| no-reply-list.json | 347 | No-reply and automated email addresses | Automated system protection |
> \[!NOTE]
> Hierarchical Structure: index.json includes all entries from admin-list.json and no-reply-list.json.
`js
// Array format (default)
const reservedArray = require("reserved-email-addresses-list");
// Also: require("reserved-email-addresses-list/array");
// Map format (O(1) lookup)
const reservedMap = require("reserved-email-addresses-list/map");
// Set format (O(1) lookup, no duplicates)
const reservedSet = require("reserved-email-addresses-list/set");
// Usage examples
console.log(reservedArray.includes("admin")); // Array: O(n)
console.log(reservedMap.has("admin")); // Map: O(1)
console.log(reservedSet.has("admin")); // Set: O(1)
`
| Metric | Value | Latest Version |
| --------------------------- | ----- | -------------- |
| Total Protected Terms | 3,221 | +1,968 |
| Core Admin Terms | 85 | Optimized |
| Unicode Variations | 3,074 | +3,074 (new) |
| Translated Terms | 35 | +35 (restored) |
| False Positives Removed | 1,389 | -94.2% |
This library provides comprehensive protection against IDN homograph attacks where attackers use visually similar characters from different Unicode scripts to create deceptive email addresses.
#### Attack Vector Example
`js`
// These look nearly identical but are different Unicode characters:
"admin@example.com" // Latin "a" (U+0061)
"аdmin@example.com" // Cyrillic "а" (U+0430) - ATTACK!
"αdmin@example.com" // Greek "α" (U+03B1) - ATTACK!
"admin@example.com" // Fullwidth "a" (U+FF41) - ATTACK!
> \[!CAUTION]
> Without protection, attackers could register аdmin@company.com (Cyrillic) and impersonate admin@company.com (Latin), potentially bypassing security measures and fooling users.
| Attack Type | Example | Status |
| ------------------------- | --------------------- | --------------- |
| Cyrillic Substitution | аdmin@evil.com | 🛡️ BLOCKED |αdmin@evil.com
| Greek Substitution | | 🛡️ BLOCKED |adm1n@evil.com
| Number Substitution | | 🛡️ BLOCKED |admin@evil.com
| Fullwidth Characters | | 🛡️ BLOCKED |αdmіn@evil.com
| Mixed Scripts | | 🛡️ BLOCKED |user123@company.com
| Legitimate User | | ✅ ALLOWED |
🔍 Click to expand Unicode script coverage
#### Cyrillic Script (Russian, Bulgarian, Serbian)
* а (U+0430) → looks like Latin "a"
* е (U+0435) → looks like Latin "e"
* о (U+043E) → looks like Latin "o"
* р (U+0440) → looks like Latin "p"
* с (U+0441) → looks like Latin "c"
* х (U+0445) → looks like Latin "x"
* у (U+0443) → looks like Latin "y"
* і (U+0456) → looks like Latin "i"
#### Greek Script
* α (U+03B1) → looks like Latin "a"
* ε (U+03B5) → looks like Latin "e"
* ο (U+03BF) → looks like Latin "o"
* ρ (U+03C1) → looks like Latin "p"
* τ (U+03C4) → looks like Latin "t"
* χ (U+03C7) → looks like Latin "x"
#### Number Substitutions
* 0 → looks like Latin "O" or "o"
* 1 → looks like Latin "I", "i", or "l"
* 3 → looks like Cyrillic "З" or "з"
* 5 → looks like Cyrillic "Ѕ" or "ѕ"
#### Fullwidth Latin (CJK Input Methods)
* a (U+FF41) → looks like Latin "a"
* b (U+FF42) → looks like Latin "b"
* c (U+FF43) → looks like Latin "c"
...and all other fullwidth Latin characters*
#### Other Scripts
* Roman Numerals: Ⅰ, Ⅴ, Ⅹ, ⅰ, ⅴ, ⅹ
* Armenian: ս (looks like "u")
* Mathematical: Various mathematical symbols
| Language | Examples | Count |
| ------------------- | ---------------------------------------------------- | ----- |
| Portuguese | naoresponda, administracao, contato, suporte | 8 |administracion
| Spanish | , contacto, soporte, conserje | 6 |administration
| French | , ne-pas-repondre | 3 |sys.administrator
| System Variants | , sysadministrator | 11 |do-not-respond
| Multi-language | , donotrespond | 7 |
> \[!TIP]
> Contribute translations: We welcome contributions of administrative terms in additional languages. Please open an issue or pull request.
`js
// Portuguese
isReserved("naoresponda@example.com"); // true - "do not reply"
isReserved("administracao@example.com"); // true - "administration"
isReserved("contato@example.com"); // true - "contact"
// Spanish
isReserved("administracion@example.com"); // true - "administration"
isReserved("soporte@example.com"); // true - "support"
isReserved("contacto@example.com"); // true - "contact"
// System variants
isReserved("sys.administrator@example.com"); // true
isReserved("system-administrator@example.com"); // true
`
| Format | Lookup Time | Memory Usage | Best For |
| --------- | ----------- | ------------ | ----------------------------- |
| Array | O(n) | Lowest | Small lists, simple iteration |
| Set | O(1) | Medium | Fast lookups, unique values |
| Map | O(1) | Highest | Fast lookups, key-value pairs |
`js
// Performance comparison (approximate)
const reservedArray = require("reserved-email-addresses-list");
const reservedSet = require("reserved-email-addresses-list/set");
const reservedMap = require("reserved-email-addresses-list/map");
// Array: ~0.1ms for 3,221 entries
console.time("Array lookup");
reservedArray.includes("admin");
console.timeEnd("Array lookup");
// Set: ~0.001ms (100x faster)
console.time("Set lookup");
reservedSet.has("admin");
console.timeEnd("Set lookup");
// Map: ~0.001ms (100x faster)
console.time("Map lookup");
reservedMap.has("admin");
console.timeEnd("Map lookup");
`
> \[!TIP]
> Recommendation: Use Set or Map formats for production applications with frequent lookups.
> \[!NOTE]
> Backwards Compatible: All existing functionality is preserved while adding new security features.
#### New Security Features
1. Added Unicode Protection (3,074 entries):
* Cyrillic variations: аdmin, sеcurity, etc.αdmin
* Greek variations: , sεcurity, etc.adm1n
* Number substitutions: , r00t, etc.admin
* Fullwidth characters: , security, etc.
2. Enhanced International Support (35 entries):
* Portuguese: naoresponda, administracao, etc.administracion
* Spanish: , contacto, etc.
3. Optimized False Positives (1,389 entries removed):
* HTTP status codes: 200, 404, 500, etc.us
* Country codes: , uk, au, br, cn, etc.app
* Common words: , web, new, top, etc.a
* Single letters: , b, c, etc.1
* Numbers: , 2, 3, etc.
#### Upgrade Benefits
1. Enhanced Security:
`js`
// These are now BLOCKED (new protection):
const nowProtected = [
"аdmin@company.com", // Cyrillic "а"
"αdmin@company.com", // Greek "α"
"adm1n@company.com", // Number "1"
"admin@company.com" // Fullwidth "a"
];
2. Improved Usability:
`js`
// These are now ALLOWED (false positives removed):
const nowAllowed = [
"app@company.com", // Common word
"web@company.com", // Common word
"us@company.com", // Country code
"api@company.com", // Technical term
"1@company.com", // Number
"a@company.com" // Single letter
];
Simply update to the latest version:
`bash`
npm update reserved-email-addresses-list
> \[!TIP]
> No code changes required: Your existing implementation will continue to work while automatically benefiting from enhanced security.
`js
// Default export (Array)
const reservedList = require("reserved-email-addresses-list");
// Type: string[]
// Example: ["admin", "root", "security", ...]
// Map export
const reservedMap = require("reserved-email-addresses-list/map");
// Type: Map
// Example: Map { "admin" => true, "root" => true, ... }
// Set export
const reservedSet = require("reserved-email-addresses-list/set");
// Type: Set
// Example: Set { "admin", "root", "security", ... }
`
`js
// Admin-focused list
const adminList = require("reserved-email-addresses-list/admin-list.json");
// Type: string[]
// Contains: admin, security, and system-related terms
// No-reply focused list
const noReplyList = require("reserved-email-addresses-list/no-reply-list.json");
// Type: string[]
// Contains: no-reply, noreply, do-not-reply, etc.
`
`typescript
// Type definitions
declare module "reserved-email-addresses-list" {
const reservedList: string[];
export = reservedList;
}
declare module "reserved-email-addresses-list/map" {
const reservedMap: Map
export = reservedMap;
}
declare module "reserved-email-addresses-list/set" {
const reservedSet: Set
export = reservedSet;
}
// Usage
import reservedList from "reserved-email-addresses-list";
import reservedSet from "reserved-email-addresses-list/set";
function isReserved(email: string): boolean {
return reservedSet.has(email.toLowerCase());
}
``
* RFC 2142 - Mailbox Names for Common Services - Official standard for reserved mailbox names
* RFC 5321 - Simple Mail Transfer Protocol - SMTP specification
* RFC 5890 - Internationalized Domain Names - IDN specification
* Unicode Security Considerations - Official Unicode security guidelines
* IDN Homograph Attacks - Wikipedia overview
* Punycode and IDN - Punycode specification
* Google Workspace Reserved Names - Google"s reserved email list
* Microsoft Exchange Reserved Names - Microsoft"s guidelines
* IANA Special-Use Domain Names - Official registry
* Reserved Usernames Gist - Community-maintained list
* Email Security Best Practices - Security guidelines
* Salesforce Email Guidelines - Enterprise best practices
* Unix System Accounts - Traditional Unix reserved names
* Webmaster Guidelines - Web security considerations
* LiveFi Security Incident - Real-world attack example
| Name | Website | Contributions |
| -------------- | -------------------------------------------------------------------------------------------------------- | --------------------------- |
| Nick Baugh |
| Community | GitHub Contributors | Various improvements |
We welcome contributions! Please see our Contributing Guidelines for details.
> \[!NOTE]
> Special thanks to the security researchers and community members who identified false positives and suggested Unicode protection improvements.
---
##