> That way, if you make an account on somesellout.com with youremail+somesellout@mail.com, when you start getting loads of unwanted messages at that address you know who sold your information to spammers.

I have seen this claim multiple places, but it seems like it really isn't a robust argument. It is an obvious enough tactic that I have to imagine anyone selling or buying email lists does a simple regex to remove everything between '+' and '@'. Maybe the buyers don't care, but if the sellers are trying to also operate a legitimate business, they'll probably sanitize the subaddresses from their lists before passing the list along.

So it seems like an easy way to guard against this type of referral hacking is to strip the subaddress from an email and compare that email with existing emails. Store the email with subaddress for actual communication but have the subaddress-stripped email be a 'unique' database column as a comparison.

Edit: grammar