[tonmoy]

If a lot of people start doing this thing, then it will be trivial for an attacker to figure out name+service1@domain can be changed to name+service2@domain

[ethbro]

Same argument for port knocking. Absolutely ineffective against targeted attacks, but most attacks aren't customized and targeted.

[EdHominem]

It also cuts down on the attack surface enough to let you use more active alerting.

[rzzzt]

"service1" could be generated randomly as well, and stored along with the password in a password manager.

Another nice property of this suffix is that one can identify who gave away their email address / which site it was scraped from when receiving spam; not sure where I have seen this written down originally.

[drdaeman]

I think when spammers see a "+" they just strip everything after it down, i.e. me+spam@example.org -> me@example.org. Not to say many sites just don't accept "+" (or, worse, cease to accept such addresses).

Unique, non-guessable, machine-generated addresses are the way to go (do with emails just like password managers do with passwords), but no common person can use those, because they'll need a domain and self-hosted MDA.

E.g.

    $ echo "$(echo -en "secretsalt\nsome.example.net" | sha1sum -b | xxd -r -p | base36 | cut -c-8)@me.example.org" 
    h6t8490d@me.example.org

Or just generating random IDs and maintaining the database.

(Sure, HMAC would be a better idea than this string concatenation, but meh...)

[tonmoy]

Then I could just make my rand(service1) chars larger. No point in adding it to email address at all. Email leak (privacy) is an issue that this could help with but I do not see any benefit in terms of securing my account