Speaking of which, this alias system from google is great in theory, but kind of pointless in practice; spammers can easily figure out they can just remove everything from the + sign, including the sign itself, and boom, they have my address without the specific alias.
It's pointless in practice in theory; in practice in practice spammers (in my experience) don't target + aliases. And if you think about the set of people who are likely to give money to spammers, the set of people using + aliases, and the fraction of + alias space that is occupied versus the fraction of non-+'aliased space that is occupied, the reason why becomes clear.
I've tried to use this system in the past, but found it to be a PITA. A lot of email systems won't let you use a +. The other gotcha I get is that they use the email address as a login token (Dropbox, for example). So you have to remember a) that you used a token and b) what it was. Any suggestions on approaching these?
Even though a service might desperately want to know my personal and/or business email address, and disguise that desire with the usual "Hey, just use your email address as your login username!", doesn't mean I have to comply. Unless they're prepared to accept responsibility to disclosure of my address, I feel perfectly happy taking the required measures to minimise those risks myself - no matter what they attempt to enforce with crappy email validation or ToS requirements.
(And, although Dropbox have finally arrived in their forum-thread ~24hrs late apologising for their "community moderators" calling their customers idiots, the responses from Nathan and especially Chris only strengthen my resolve to ignore any attempt by companies/services to gain access to my personal email addresses as part of their user databases.)
I always use the domain-name minus the top level for my token. So if my base email were "david@example.com", for "dropbox.com" it would be david+dropbox@example.com. That makes it very easy to figure out all the emails I might have (since I'm essentially just remembering an very simple algorithm to generate them). Very often sites have sucky email validation that rejects "+" so I configured my system to allow . and _ to also work the same way. That way I can choose david.dropbox@example.com or david_dropbox@example.com if the + doesn't work.
I once ran into the problem where a retail site forced me to sign up before paying, then refused to accept Paypal payment from any address except the one I signed up with. Of course my Paypal wasn't myemail+retailsite@gmail.com. Very annoying.
spammers can easily figure out they can just remove everything from the + sign, including the sign itself, and boom, they have my address without the specific alias.
Yahoo! Plus has a much better system where you use a different base email address plus the sub-address rather than your regular address.
For example, if my account is "somebody@gmail.com" then you use somebody+dropbox@gmail.com. But with yahoo, you pick an alternate, e.g. "huggybear", and use that instead (huggybear-dropbox@yahoo.com). That way if a spammer seems the sub-addressed account, they can't send email to huggybear@yahoo.com unless they want to end up on Yahoo's blacklist.
I've had a great deal more success with Yahoo's sub-addressing than Google's.
I should clarify: with Yahoo plus you only create one base for all your sub-addresses, not a new base for every sub-address.
So in my earlier example, if you wanted to sub-address ebay, amazon and hackernews you'd have huggybear-ebay@, huggybear-amazon@ and huggybear-hn@.
The big deal is that huggybear@ != someone@ and sending to huggybear@ won't reach someone@ and likely earns you a place on their blacklist (or some points towards ending up there).
