Plus signs in email addresses

Saturday 22 August 2009This is more than 15 years old. Be careful.

One common complaint about “bad” email validators is that they don’t allow plus signs in email addresses. Sophisticated users use plus signs to have “different” email addresses delivered to the same inbox: user+cat@gmail.com and user+dog@gmail.com both go to user@gmail.com.

It occurred to me though, that the prohibition against plus signs might not be an oversight, but an intentional attempt to prevent one user being able to register with multiple email addresses on a single site. In other words, the very characteristic of plus signs that make them appealing to geeks also make them a useful tool for spammers. As CAPTCHAs show, spammers must be thwarted even if it inconveniences some honest users.

Comments

[gravatar]
I think you're giving too much credit. Over-validation is more probably due to either someone who doesn't know the rules (most cases, I suspect) or someone who doesn't care.
[gravatar]
Actually I think that yours is a rather elegant solution. It'd certainly work for me and is much more readable than the full RFC822 RegEx: http://ex-parrot.com/~pdw/Mail-RFC822-Address.html - now that is one scary mofo.
[gravatar]
If it were intentional, I would expect to see a specific error message instead of the generic "Your email address is invalid according to the regexp I wrote all by myself." that most sites give.
[gravatar]
I use a basic regex which probably works for 99% of email addresses in practice. It doesn't allow plus signs. I'm sure there ought to be some repository of basic validation functions for major languages. Heck, PHP should probably include a IsEmailAddressValid() function.
[gravatar]
@Michael: the reason I believe this is that some well-engineered sites are preventing pluses, and lots of developers know about the benefits of plus signs.

@Peter: if the goal is to prevent spam, then I would expect there *not* to be a specific error message. The less information you give the enemy, the stronger your defenses. Have you noticed when you enter an incorrect password, the message isn't "Password is incorrect?" It's always "your username and password don't match" or something similarly vague.

@Charles: maybe you can help answer this question by telling us: why do you exclude plus signs?
[gravatar]
The plus sign, while seldom used, is accepted by Google and I have used it on occaision. YMMV
[gravatar]
Noah Kantrowitz 2:53 PM on 22 Aug 2009
The same argument could be made about . in GMail addresses, and that seems to be accepted everywhere.
[gravatar]
Going back to basics and looking at RFC 2822 it seems to me (though I'm not absolutely sure of their notation) that '+' is allowed anywhere in the local part (the bit before the "@") and dot is allowed anywhere in it except at the beginning or end and there can't be two consecutive dots.

++@example.com Good
a.b.c@example.com Good
.a@example.com Bad
a..b@example.com Bad

Within these rules any further interpretation of the local part (e.g., of "usr+cat") would, it seems to me, be a matter for the receiving e-mail system. It would be a bit much, therefore, to eliminate addresses containing "+" unless you only did it for systems you knew made this special e-mail box sharing interpretation.

My ISP sends everything in my domain to my e-mail box allowing me a near infinite number of possible addresses. If somebody wanted to play the "+" trick mentioned above they'd only need to get an account like this to get round any such "+" filtering.

Hmmm, I think I might start using ++@mydomain for issues related to a certain derivative of C.
[gravatar]
Of course, since the entire left-hand-side of an email address is completely arbitrary from the point of view of email handlers — they, after all, have no idea how your local machine will interpret the "local part" to the left of the "@" sign — you don't have to use "+" as your "special character" for email address multiplexing. I used "-" back when I used to bother (I eventually discovered that most spam came directly to my inbox, so trying to track which company had "sold my email address" when spammers were getting it right off of mailing lists was pretty silly), by setting "recipient_delimiter = -" in my postfix/main.cf. I just checked and, all of these years later, it's still there. :-)
[gravatar]
"It occurred to me though, that the prohibition against plus signs might not be an oversight, but an intentional attempt to prevent one user being able to register with multiple email addresses on a single site." - I think its an unintentional bonus!
[gravatar]
Because I see no benefit in including them. Nobody I know uses a plus sign and those that do are probably used to not being able to use their email address on certain sites! ;)
[gravatar]
I tend to think that companies don't like to make it easier for you to filter mail from them by allowing you to give them a unique email address.
[gravatar]
Disallowing plus addresses should be illegal. If the purpose is to prevent spammers, the respectful solution would be to disallow multiple equivalent addresses instead.

@Jean: This typically means the company is sending spam, otherwise they wouldn't worry about getting filtered.

Add a comment:

Ignore this:
Leave this empty:
Name is required. Either email or web are required. Email won't be displayed and I won't spam you. Your web site won't be indexed by search engines.
Don't put anything here:
Leave this empty:
Comment text is Markdown.