[yebyen]

Huh?

Yeah, I'm counting on e-mailers to send mail to the address I give them. No, I don't expect folks to send me spam unsolicited, or sell my address when I give it to them. I don't consider my name or e-mail address to be secret, and I'm also counting on anyone who sells my contact info to be doing it in bulk, not paying enough attention to strip out +tags, and by passing the address to spammers unaltered (or losing control of their database), give themselves away when I start receiving spam at that address.

Honestly I don't use the feature very often and I had not considered it to be a security measure before. Maybe novelty is the right word.

If I give myaddress+dropbox@mydomain.com to Dropbox, and they mail me from different addresses, I would be able to catch them all and put the "Dropbox" tag on them all, rather than having to make a filter for *@dropbox.com or some other extraordinary measure for classifying their mail.

It's part of the RFC, and supported by every mailer that I know. What part of this technique seems like obfuscation?

[k3n]

I guess that's the disconnect, because I do consider my email address secret -- since it is 1/2 of the information required to access my Google account, I take great measures to make sure that outside parties never see it (as best I can). If I can prevent any site from ever knowing that address, then my chances of being targeted (phishing, brute-force, whatever) are drastically reduced.

So, if you only use +tag for your own personal organizational purposes, then have at it! But if your goal is to conceal your account ID with Google in the interest of personal security, then you really need a better angle.

[yebyen]

That's very well reasoned, I hadn't thought of it that way. Upvotes!

[k3n]

Cheers! Thanks for the discussion, I enjoyed it.