Some sites however will just ban + on registration. I've seen registration allow + but login disallow (also different password lengths occasionally, wtf?), though I can't think of any offhand.
> It's extra effort for them for nearly zero marginal gain.
I wouldn't say it's nearly-zero gain; by applying a tiny sed expression they obtain a basically unblockable e-mail address.
It's easy to blacklist johndoe+amazon@gmail.com but very few people would be willing / able to blacklist their top-level johndoe@gmail.com. So the spam keeps coming.
Spammers are annoying but the progammers behind them are smart.