Lots of people will create a single address for each company that wants one, so that if it gets compromised it can be shut off without affecting any other incoming emails. And identify the offending firm. I have created an email account for a store that wanted an address while I was out in their parking lot (the ones that had plausible future value to me).

So far, none have been sold to marketing lists. Which says either that I'm a pretty good judge of firms, or that no one is interested in me. ;)

If you use gmail, you can insert random periods or append `+word' to your email address and it'll be delivered to the same address as one without periods and the `+word' portion. So, an email to `my.email.address+hackernews@gmail.com' will be delivered to `myemailaddress@gmail.com'.

Sadly a number of sites get hung up on the '+', despite being valid. One thing to keep in mind if relying upon this.

If they don't know how to email, they probably don't know how to security.

To be fair, checking that an email address is formatted correctly and valid is a challenge. You can't just use a regex.

Modern browsers use this one [0]:

  /^[a-zA-Z0-9.!#$%&’*+/=?^_`{|}~-]+@[a-zA-Z0-9-]+(?:\.[a-zA-Z0-9-]+)*$/

That certainly accepts plus signs. I'm sure there are theoretically valid addresses it wouldn't accept (IDNs spring to mind), but HTML5 is willing to be "practically", rather than theoretically, correct. Anyway, there are email validation modules in every popular language. A good technique, which seems very common, is just to make the user type their email twice. Invalidity is not the most important reason why an address could cause problems.

[0] https://www.w3.org/TR/html-markup/input.email.html

Are you sure the periods thing works? I use the plus thing all the time, but I just tested adding random periods and it didn't seem to work.

I'm using an apps account, so that might have something to do with it.

Periods definitely do work (at least on regular gmail accounts). I can't find anything regarding G Apps though. https://gmail.googleblog.com/2008/03/2-hidden-ways-to-get-mo...

There can be some odd glitches with that if your -actual- email address has a random dot in it.

I would assume that internally there would be some lookup to know to deliver an email to `myemail@gmail.com' to the actual user at `my.email@gmail.com', but I could be wrong. I can't test this because my email address doesn't use periods.

Yes. There is one "canonical" address - if you try to log in as myem.ail@gmail.com it will fail.

Sadly that's too easily defeated if the spammer really wants to. I personally generate an unique email for each service.

You're right; it isn't foolproof. What it does tell you though is who is selling your personal information.

As this is so well known won't spammers just remove the "+word" portion and optionally the period marks too.

At my last company,we inserted fake accounts into datasets when sharing with 3rd parties(eg: SaaS based analytics). If our data ever made it out, we had the ability to trace the leak to a vendor.