The basic idea of variant disposable (e-mail) addresses is that you have a basic (root) address that can not be used as an e-mail destination, and variations upon that address which can be used for a while then can be disabled. You log into your variant-address service using the root address, then manage the several variants on that address, including choosing which will remain usable and which will be deactivated.
Why would you want to disable a perfectly usable address? Because some spammer harvested that address and is now using it to send you spam. Why have several variant addresses you can disable instead of just a single address? Because this way you can give out different variants to different people, and post different variants in different public places, and if one of the public addresses is harvested by a spammer, or one of the private penpal addresses is invaded by a trojan/worm that uploads your penpal's address book including your confidential address, you can disable that one address, affecting only people who saw that one public address or only that one penpal (and the spammers that uploaded it), which is a lot less hassle than cutting off *all* your e-mail contacts. Also, by knowing which of your several variant addresses was harvested by a spammer, you can figure out (in general) the means by which that address was harvested, such as one specific penpal having a virus-infected machine (so you can tell that penpal they have a problem they need to fix immediately), or some Web page or other public place is being harvested by spammers (so you can change that public place to make harvesting more difficult).
How does this work? There are two primary ways this can be done, by a MSP (Mail Service Provider) providing e-mail aliases as a basic part of service, or by an e-mail forwarding service. In the former case, e-mail to still-valid addresses go directly to your mailbox (InBox or specially selected folder) while all other e-mail is rejected. In the latter case, e-mail to still-valid addresses gets forwarded to your actual (and secret) e-mail address on your actual MSP, while all other e-mail is rejected, not forwarded. Ideally rejected e-mail is formally refused by the SMTP server, so that penpals whose personal variant has been deactivated, and new potential penpals who saw one of your public addresses which unfortunately was already deactivated before they tried to use it, will get a NDN (Non-Delivery Notice) and know they e-mail didn't get to you and have a chance to re-try later when they have your new still-active address. Unfortunately I haven't been able to find any free variant-address mail-forwarding service that does that. The best I've been able to find is SpamGourmet, which accepts and then simply discards, without any NDN, when it receives e-mail addressed to an already-disabled variant address.
One other feature some variant-address services provide is a limit (throttle) on incoming messages to any single variant address. Thus if the limit is 3 on an address never used before, and a spammer harvests that address and sends five hundred spam to that address, only the first 3 will be delivered/forwarded, the rest will be rejected (refused, or accepted then disarded). Legitimate penpals must be careful not to exceed this limit or else their otherwise legitimate and wanted e-mail will be rejected. Any good variant-address service provides a way for the recipient to browse the variant addresses currently active (not yet disabled) and see when any of them is getting close to the limit (or in worst case already exceeded limit and rejected some valid messages already), and reset the limit to allow some more articles in the future. SpamGourmet provides this in "Advanced mode", which I highly recommend for anyone choosing SpamGourmet for their variant-address service.
My own experience with variant addresses (all provided by SpamGourmet): About twenty different variant addresses were harvested by spammers and consequently needed to be disabled to protect me from those same spammers sending me additional e-mail via those same variants. Most of those were addresses I posted in my From: address in newsgroup postings, but one was decoded and harvested from a disguised address in newsgroup postings, and several were harvested from Yahoo! Groups. But the most egregious case is CareerBuilder, a totally corrupt organization, which sold to spammers every e-mail address they ever got their hands on. I posted my resume on CarrerBuilder, using one address, and promptly began getting lots of spam from them. (This was before I discovered SpamGourmet, so one of my actual e-mail addresses got ruined by CareerBuilder.) I volunteered through the a NYC Lisp organization, for mentoring students at computer programming during the summer of 2008, but CareerBuilder intercepted the e-mail address (a SpamGourmet variant) that I was trying to communicate with LispNYC, and before I could even receive confirmation from LispNYC about my volunteering, CareerBuilder had already started flooding that variant address with spam so I had to cancel that variant to protect myself from CareerBuilder's flood of spam. I highly recommend nobody ever do business with CareerBuilder in any way shape or form. Never post your resume there. Never respond to job ads they send out as spam. If anybody such as LispNYC wants to do business with you, but they are affiliated with CareerBuilder, tell them how corrupt CareerBuilder is and insist they separate themselves from CareerBuilder before you will do business with them. If they say they are severed from CareerBuilder, so you try to do business with them, but you later discover they've given your e-mail address to CareerBuilder, and consequently CareerBuilder has started sending you spam at the address you gave to their lying affiliate, please post a public article in the newsgroup alt.spam with the details, and also please contact me so that I can cite your additional evidence as to the corruptness of CareerBuilder. Finally, please tell CONNECT and NOVA and other employment service agencies how corrupt CareerBuilder is and urge them to stop providing free advertising for CareerBuilder by recommending that jobseekers use CareerBuilder's "services". Note that CareerBuilder has sent me such a horribly large amount of spam that there isn't enough time in the day to keep up with it all. here is a listing of a small sample of their spam to me.
More of my personal experience, how to set up public first-contact addresses: First I tried posting a single SpamGourmet variant address in newsgroup articles. But a spammer harvested it, so I had to disable it, and use another, which had the bad effect that many people had seen the no-longer-valid address and would have their e-mail to me get discarded without even a NDN. I tried using a different variant address for each article I posted, so that if one was compromised I could cancel it without affecting other addresses that were posted in different articles. But spammers started harvesting them en masse, causing me to receive ten different spam in one day, to ten different variant addresses. I tried obscuring my variant address, but a spammer decoded it and began spamming me. What I tried next, which I'm still doing, is not to post an e-mail address at all, but instead to post a URL to my home page, which has a "Contact me" link to a Turing test, and require prospective new penpals to pass that Turing test before learning what my public first-contact SpamGourmet variant address is. Because I was in a rush, after my previous public first-contact address had been harvested by spammers, I used plain HTML with multiple-choice answers instead of fill-in-blank ansers, but eventually I plan to convert the Turing test to PHP. So-far only three people have passed the Turing test and sent me e-mail (on 2008.Jul.30, Aug.16, and Sep.28), so maybe multiple-choice with so many possible answers to choose from is too difficult, or maybe the questions themselves are too difficult. But no spammer has yet harvested any of the e-mail addresses at the end of that Turing test, so at least it does seem to be serving its primary purpose of providing a way that penpals can find a way to contact me without spammers also learning that same address and spoiling it.
Note that as soon as the e-mail address at the end of the Turing test is used once, I change that address to a new SpamGourmet variant, so that there's no likely chance of several more legitimate penpals and also some spammers sharing the same address. And when I reply to the first-contact e-mail using the old address, I immediately make up a new SpamGourmet variant address and use that instead of the first-contact address for all subsequent e-mail from my new penpal.