What are you requirements? Sure, there are plenty of characters that don't work in an email address, like < > ( ) [ ] ; : , \, but it boils down to what you're actually filtering on.
Usually there will be a regular expression or validation class in use on the backend of the system. Start by asking what they expect their filters will catch. From there, it's a matter of trying to prove that wrong [img]/images/graemlins/smile.gif[/img]