[sodapopcan]

It's way easier to write a script to generate thousands of variations on the same email address than to sign up for a thousand different accounts. I've actually been bitten by this bug before... or rather, my company was bitten by an affiliate who neglected to sanitize their emails this way and someone was able to create thousands of gift cards in our system.

Having said that, in development, it's super nice to be able to create addresses with +'s in them.

[pzxc]

What you say is not untrue, but it's still bad advice to do it -- a security red herring. First of all, you don't know that 100% of mail servers ignore characters after the +, so you can't safely strip those characters or you might not end up with a usable email address. That goes double for stripping the dots/periods, which gmail ignores but many other mail servers do not.

On top of that, it's just as easy to set up a catchall email address -- an email box that accepts all mail for a domain, literally anything@mydomain.com. So a malicious actor could sidestep this security attempt with minimal effort, but it still inconveniences legitimate users despite being worthless from a security perspective.

[sodapopcan]

True, true. As I mentioned below, in my case, it was even usernames, just entering you email for a free gift card. The attacker actually used dots with a gmail address.

[shkkmo]

There are soooo many ways to easily game the email side of it that you would be better off using other means of detecting uniqueness (rate limit per IP address, rate limit per hash of IP address and user-agent)

[Nadya]

>It's way easier to write a script to generate thousands of variations on the same email address than to sign up for a thousand different accounts.

It's just as easy to write a script to use ephemeral hosts that you don't need to sign up for. Things like Mailinator.

All it does is irritate people like me who use +words as prefilters for email (and to see which companies are selling my email/user data).

[sodapopcan]

Fair enough! In my case it wasn't actually usernames, just entering an email address through a phone company for a free gift card from my old company so yeah, my point is moot.

[lukeschlather]

That's all fine, but except in pretty specific circumstances you're going to have valid reasons to want multiple accounts for a single email address. Kind of a crazy scale issue, but one example is wanting your AWS Account to be separate from your Amazon Retail account, even though they use the same underlying account store it's a good idea to use separate accounts even if they're tied to the same email.