Frank, thanks for the thoughtful reply and for forwarding in hope of maybe making an exception. The only chime-in that I'd like to make is that plus signs (+) are a bit different. Unlike ignoring periods, which seems to be a Gmail-specific thing, subaddressing is quite widespread on major platforms, including Sendmail, Gmail, and others. Sendmail has supported subaddressing for over 20 years, as far as I know. And while not strictly required for compliance with SMTP RFC 5321, subaddressing does have its own RFC (5233) which captures real-world use, so it's not a standards-free usage. 🙂 And whether or not subaddressing is standards-based or not is, as you point out, sort of a separate issue. PayPal customers are unable to prevent third parties from even preliminarily associating an email address that they do not control with their own PayPal account. I filed bugs for both the dot problem and the plus problem this morning, but both have been marked as unactionable, on the assertion that fraud detection algorithms would almost certainly catch any actual attempts to fraudulently use the mis-association. While I'm sure that this is largely true, it nevertheless remains counterintuitive for users to receive emails from PayPal that are clearly not intended for them ... forever, without recourse. Not all problems need to be fraud-inducing to be worthy of love. 🙂 It also seems worrying that even though someone else has associated "firstlast @ gmail.com" with their PayPal account (such that if I try to add that add "firstlast @ gmail.com" to my own account it is denied), I can cheerfully add "firstlast+bogusthing1 @ gmail.com", "firstlast+bogusthing2 @ gmail.com", etc. without being denied. Update: forgot to mention that those not-for-me emails may have sensitive information in them. When I discovered this issue for the first time this morning, it was when I got an email intended for my alter ego, notifying them that PayPal's "One Touch" had been enabled for their phone, with specific information about what kind of phone they have (which is none of my business, and something that I would rather not know). And since their email address used is shown in the email, an unscrupulous third party could also use the password-reset interface to collect that user's partial phone number, etc. and start to stitch a number of things together for naughty purposes. Just because I can't think of a way to abuse it doesn't mean that a more motivated and resourced threat actor couldn't. And this was all sent to an email address that they never proved to PayPal that they control. Thanks again!
... View more