Tags:





Rejected email with plus addressing
December 19, 2007 11:50 AM   RSS feed for this thread Subscribe

Why do very few websites accept plus-addressing in emails for signups?

Say I wanted to sign up for SketchyWebsite.com's mailing list. I use gmail, which pleasantly supports plus-addressing. I type in (myemail)+sketchy@gmail.com, so I can filter it out or figure out if they sell my email to every other sketchy website out there.

But it doesn't accept that this is a valid email address. Even though it is.

So why do so many website registrations reject emails with plus addressing information? Is it harder to filter for valid emails if we allow this, or is there a simpler (or more complicated) explanation?
posted by that girl to computers & internet (19 comments total) 1 user marked this as a favorite
Because it's not common
posted by evilelvis at 11:52 AM on December 19, 2007


That's not true at all. It's certainly valid and common. Many front-end programmers are lazy and don't bother accepting valid emails, only alphanumeric (a-z, A-Z, 0-9) with whatever extras *they* think are valid - typically _, ., and maybe -.

Here's a discussion on validating email addresses.

Here's the full regular expression one would use for the best coverage of specification-compliant checking.
posted by kcm at 11:59 AM on December 19, 2007 [2 favorites]


Its valid and common but I think most programmers dont *know* that those email address are valid or common.

Most of the code you find online that validates email addresses doesn't take into account the "plus" part. So I guess, this only propagates this mistake.
posted by edmz at 12:03 PM on December 19, 2007


Because many of the programmers think they know what a valid email address looks like so don't bother to check the RFC (if they even know it exists or what an RFC is).
posted by Mitheral at 12:05 PM on December 19, 2007


kcm: Here's the full regular expression one would use for the best coverage of specification-compliant checking.

Wow, that regexp is just crazy. x|
posted by Foci for Analysis at 12:11 PM on December 19, 2007


Front-end programmer idiocy regarding pluses is why spamgourmet exists.
posted by meehawl at 12:15 PM on December 19, 2007


What edmz said: the immediately-available regular expressions on the net tend not to allow a plus sign.
posted by yerfatma at 12:52 PM on December 19, 2007


The relevant snippits of RFC 2822 are:


atext = ALPHA / DIGIT / ; Any character except controls,
"!" / "#" / ; SP, and specials.
"$" / "%" / ; Used for atoms
"&" / "'" /
"*" / "+" /
"-" / "/" /
"=" / "?" /
"^" / "_" /
"`" / "{" /
"|" / "}" /
"~"

dot-atom = [CFWS] dot-atom-text [CFWS]
dot-atom-text = 1*atext *("." 1*atext)

addr-spec = local-part "@" domain
local-part = dot-atom / quoted-string / obs-local-part
domain = dot-atom / domain-literal / obs-domain


Yes, it's in the RFC. So are quoted strings for the address part ( for example, "John Doe"@domain.com), and characters like { and }. My point is that there's a lot of stuff in RFCs that hardly anyone supports because hardly anyone uses. The fact that 'plus addressing' is becoming popular now doesn't change that. Yes, it's shitty that a web programmer made that call for you, and yes, it should have been done differently, but it wasn't, because it didn't need to be. Chill out, maybe send a friendly reminder to the webmaster. Or, realize that the + was never intended to be used for this purpose, and that Google et al. have chosen to use a convention they likely knew was going to be problematic. They could have just as easily chosen '.', or '-', or, all caps for a tag specifier.
posted by devilsbrigade at 12:57 PM on December 19, 2007


On a less techie note, web site owners don't really have an incentive to change. Filtering out addresses with a '+' means that they get your real gmail address, rather than one that you create for their site. If they're an evil company, this gives them a trivially better chance of landing spam in your inbox, since you have to give them me@gmail.com, rather than me+spam@gmail.com or me+blocked@gmail.com.
posted by mysterious1der at 1:03 PM on December 19, 2007


As a programmer, I want to second what was already said: "Lazy and/or ignorant programmers".
posted by blue_beetle at 1:13 PM on December 19, 2007


spamgourmet, or nslmail are great. spamgourmet has the bonus of not requiring configuration, but has the same weakness of + addressing, that spammers can figure out your real address; nslmail makes random email addresses, and lets you reply through them too. for the most part though, spammers aren't going to bother sifting through addresses, so + addressing is fine - I have one email I use for + addressing, one I use for nslmail, and forward them both to my real email.
posted by lrodman at 1:18 PM on December 19, 2007


I think it's probably more due to ignorance or pride than laziness. Recall that the laziest programmers are often the best. It's so much easier to call library code than to parse things yourself, after all.

Also, if you take out the things for handling white space from the regular expression that kcm linked, it might actually be readable. I wouldn't be surprised if it's correct, but it could certainly be made simpler.
posted by Zach! at 1:39 PM on December 19, 2007


spammers can figure out your real address

How can you figure out my real email from this?
+xyzdq+meehawl+ejb0b85a38.membership#noreply.redacted.com@spamgourmet.com

I can reply to this obfuscated From: and it gets routed back and forth. I've noticed that some sites actually filter out nsl and spamgourmet as allowed domains, so that's why there are alternate domain names (well, for spamgourmet, not so familar with nslmail).
posted by meehawl at 1:40 PM on December 19, 2007


Or, realize that the + was never intended to be used for this purpose, and that Google et al. have chosen to use a convention they likely knew was going to be problematic.

I'd just like to say that Carnegie Mellon has been using the plus sign like this since at least 1996, and possibly earlier. (Or rather, they used to allow this, I can't tell you for sure if they still do.)

And fyi for people using gmail, you can still give slightly obfuscated emails -- you can just throw a period anywhere in your address; google just filters those out. So if your email is username@gmail.com, you can submit "usernam.e@gmail.com" for example. Obviously this doesn't give you as many options as using the plus sign, but it does help a little.
posted by inigo2 at 2:21 PM on December 19, 2007


"realize that the + was never intended to be used for this purpose"

As inigo2 says this usage is at least 10 years old, maybe more. And for that matter, the intended purpose is irrelevant. The point is that it is a valid character in an email address, and has been since RFC822 days.

Laziness and ignorance.

If you are determined to be a lazy programmer, it would be better to not check, or perhaps just check for an @ character, than to do this kind of lazy checking. If someone gives you a crap email address, it's their problem, right?
posted by i_am_joe's_spleen at 2:39 PM on December 19, 2007


What's even better is when their app gets the CGI quoting wrong and treats the + as if it were a space. A shocking number of apps do that, a security problem just waiting to be discovered.
posted by Nelson at 3:37 PM on December 19, 2007


That's where I got used to the +, inigo2. Sadly, my Carnegie Mellon address went away, with that silly graduation thing. I miss pine. Google is just the current fallback.

It is curious how web sites try to 'validate' email addresses now, instead of just having the sign-up procedure fail if the person doesn't do that little extra verification step that most places have anyway.

I have also sent emails to people with the "Name Goes Here"@blabbity.bla convention, actually.
posted by that girl at 4:26 PM on December 19, 2007


My email address ( dmd at 3e dot org ) gets rejected all the time (like, more than 20% of sites), alternatively for starting with a number or being too short.
posted by dmd at 5:06 PM on December 19, 2007


web site owners don't really have an incentive to change. Filtering out addresses with a '+' means that they get your real gmail address, rather than one that you create for their site
Thats what I always assumed was the primary reason

Recall that the laziest programmers are often the best

That's true only in a very specific sense, not as a general truism. Not double checking the spec and making sure your code works does not make a good programmer.
posted by jpdoane at 6:21 PM on December 19, 2007


« Older I just started a paralegal job...   |   Because of an injury, I carry ... Newer »
This thread is closed to new comments.