> Doesn't stop someone just removing the + tag on the email address.
It won't stop spam but the biggest risk with these leaks is from automated testing of a password found from a leak on one service you use with the same email address on another. As long as you use a separate + address for both you'll be safe as they are unlikely to automate testing of different + addresses since most users don't do that.
> A better way is to set up a catch all on a domain... but then you're likely to get a lot more spam
I forward my catch all domain emails to gmail. I hardly get any spam now except to leaked addresses which I've filtered to add bright red labels so I can ignore them.
Is it too much of a reach to assume that any half-talented identity thief or exposed-user-list-scammer might be smart enough to know about rfc5233, and would write hs scripts/bots to automatically try the obvious variations of an email address of the form localpart+tag@example.com?
If I were attempting to exploit the Adobe list, every email address I saw like name+adobe@example.com, I'd try the exposed password using not just name+adobe@example.com and name@example.com, but also name+othertarget@example.com, where "othertarget" might be something like twitter, facebook, paypal - depending on where I'm attempting to misuse the exposed credential.
It won't stop spam but the biggest risk with these leaks is from automated testing of a password found from a leak on one service you use with the same email address on another. As long as you use a separate + address for both you'll be safe as they are unlikely to automate testing of different + addresses since most users don't do that.
> A better way is to set up a catch all on a domain... but then you're likely to get a lot more spam
I forward my catch all domain emails to gmail. I hardly get any spam now except to leaked addresses which I've filtered to add bright red labels so I can ignore them.