[pzxc]

What you say is not untrue, but it's still bad advice to do it -- a security red herring. First of all, you don't know that 100% of mail servers ignore characters after the +, so you can't safely strip those characters or you might not end up with a usable email address. That goes double for stripping the dots/periods, which gmail ignores but many other mail servers do not.

On top of that, it's just as easy to set up a catchall email address -- an email box that accepts all mail for a domain, literally anything@mydomain.com. So a malicious actor could sidestep this security attempt with minimal effort, but it still inconveniences legitimate users despite being worthless from a security perspective.

[sodapopcan]

True, true. As I mentioned below, in my case, it was even usernames, just entering you email for a free gift card. The attacker actually used dots with a gmail address.

[shkkmo]

There are soooo many ways to easily game the email side of it that you would be better off using other means of detecting uniqueness (rate limit per IP address, rate limit per hash of IP address and user-agent)