negative watchword[s]...won't stop what is going on ...because all they need is the userid.
Yes, true. That is why I started using watchwords.
If you are correct - and I believe you are - then watchwords still have a loophole: using your watchword exposes it to these fiends. Negative watchwords would solve that problem.
make trouble for yourself...when you [forget] your negative watchword and [try] to create a new address with it in it.
True. But I've made that mistake with watchwords.
Ultimately, yes, it's simpler to:
1. have a watchword, but
2. never use the watchword in any address! [huh??? ah...]
3. Instead, create all new addresses on-site using the "Send a message from one of your disposable addresses" feature.
On-site, any address will be created, even if it doesn't include the/a watchword[s]. The addresses created are now "cleaner," and the watchword serves its purpose most effectively - the watchword is never exposed, so it can never be bypassed. More work, but more effective. I just discovered this fact, and hence this technique, yesterday. In light of your objections and this superior alternative, I withdraw the "negative watchwords" suggestion/request.
Q: "But what do I do when I need an address and SG's site is offline (knocked out by DOS attack)?"
A: That's your cue to use some other anti-spam methodology.
EDIT: This is perverse, but - to belabor the obvious - now I never have the "Where is my confirmation email?" problem. The Law of Unintended Consequences works in our favor for once.