Why do web site developers feel that "+" is no longer valid?
One of the many features of using Sendmail on a *nix box is the ability to manage and track incoming e-mail by adding a "+" and a word to your email address. Most people know me as jericho[at]attrition.org, while mail lists are more likely to know me as jericho+listname[at]attrition.org. Not only does this make it easier to filter the incoming mail with utilities like procmail, it lets me track the (ab)use of the email address.
If I subscribe to Joe's Frog Discussion list as jericho+frog[at]attrition.org, and end up receiving spam to the same e-mail address a week later, it is a safe guess that Joe either sold my address to spammers, shared the subscriber list with another company, or had his mail list harvested by a spammer. If this happens, I can re-subscribe if I wish, perhaps as jericho+frog1[at]attrition.org and route all mail to jericho+frog[at]attrition.org to /dev/null.
For years, more and more web sites are allowing their users to subscribe to mail lists via web forms. The problem is that these web forms are often poorly coded, or done so ignoring RFC standards. According to RFC 822 the use of the "+" sign and other special characters is valid. As Jeff Woods writes:
Hence an email address/mailbox/addr-spec is "local-part@domain"; "local-part" is composed of one or more of 'word' and periods; "word" can be an "atom" which can include anything except "specials", control characters or blank/space; and specials (the *only* printable ASCII characters [other than space, if you call space "printable"] *excluded* from being a valid "local-part") are:
Therefore by the official standard for email on the internet, the plus sign is as much a legal character in the local-part of an email address as "a" or "_" or "-" or most any other symbol you see on the main part of a standard keyboard.
Despite this, sites like yahoo.com, securityfocus.com, cnet.com and many more don't allow this. It's sad that such companies can't deploy web sites that follow RFC standards.
Other Sites that Fear the +
cve.mitre.org - Mailed 03-12-15
www.fandango.com - Mailed 03-12-17
www.bankofamerica.com - Mailed 04-04-06
www.nokia.com - Mailed 04-08-13
www.vibef.com (Frontier Airlines)
www.netcraft.com - Mailed 04-10-28
Dell Services Game
www.kp.org / www.kaiserpermanente.org
www.whois.sc - Mailed 05-06-14
www.myspace.com - Mailed 05-11-18
www.coverity.com - http://www.osvdb.org/blog/?p=104
verizonwireless.com - Gives errors during account managing about not being able to save email address
www.mypetchicken.com - Mailed 07-02-01
www.shopatron.com - 07-02-22
www.qdoba.com - 07-03-08
www.united.com - 07-02-25 - Mileage plus. Worked for a year, then was told + is invalid. United arbitrarily changed the + to a - without informing me.
www.fedex.com - 12-09-08