That's true in theory. In practice however, I've had success with figuring out a service that leaked my dotted address (I used a dot because the service didn't validate email with plus). I think this is often the case too because, spammers don't really bother validating emails by postprocessing etc. and just sell the emails in bulk in shady markets