Hacker News new | past | comments | ask | show | jobs | submit login
Ask HN: name@a.com and name+1@a.com should be considered 2 different accounts?
6 points by mcs_ 5 months ago | hide | past | web | favorite | 18 comments
assuming your websites has a sign-up and you provide some free credit/usage for each new sign ups.

In gmail and GSuite accounts (not sure if other email services does the same) you can do the +1 trick.

Add +N after your username and receive the email in the same sandbox (which is actually useful in many cases).

The point is, knowing that, do you consider

user@gmail user+1@gmail user+2@gmail user+3@gmail user+4@gmail user+5@gmail

as 6 different and unrelated accounts in your db?

it is fair to _regex_ the email and remove the +1 trick?

What is the value of the resource you're providing with each signup? Running a regex is only worth it if you're offering value that you have to pay for, like a free tshirt or some paid compute credits. And even then, it's only a problem if you have insufficient cash to cover the abuse.

If however you're offering LOW COST items (ex: digital goods, or a free month of your SAAS), then absolutely do not filter these. Search for them afterward and contact them. These are some of your most valuable users: people who are willing to put up with the pain of creating new logins over and over again just to use your service. Find out what they love. Find out what it would take for them to start paying. They can provide intelligence far in excess of the free service credits you're providing.

Thanks for sharing this prospective.

You should always treat that case as distinct email addresses.

If you have problems with one person signing up multiple times then this won't fix it for you. There are many other ways a person can have lots of email addresses. You will waste a lot of time chasing your tail.

I reasonably use plus style addresses to establish different identities and I generally pass on a website if their registration or other processes assumes things about my address or disallow valid characters in an email address.

I also don't try and rip-off a website by abusing their free services.

You should treat them as unique, Google is not the only e-mail provider.

You can use that knowledge in constructing your anti-spam heuristics though.

A plus sign is allowed in the user part of email addresses. Though it's most commonly used as a tag (and I've only seen it used that way) it could be used as an actual address and since the receiving mail server decides how to handle it you have no way of knowing.

If you choose to strip the tag I'd only do so when processing a new signup and make sure that the user can login with his user+tag@example.com and that all email goes to that address.

The best solution to this problem I heard was to along these lines:

* have a separation between accounts and users. Account is the entity that pays for the service. Usually account has users associated.

* collect payment/credit card information on account creation

This way, you don't really care about user+1, because you have their payment info already, and can assume at least some intention to pay after their free tier is up.

There are many legitimate reasons why somebody while doing evaluation would create several users, i.e. I do name@a.com as well as name+testing@a.com in few services.

If you find out that too many of your customers are not willing to pay, look at it more as a business problem, trying to reach better customers that you can charge more, rather than to better enforce some account de-duplication.

I think I heard this approach from patio11, Amy Hoy or some interview on Mixergy?

Thank you, I like the idea of rules. Billing, user, admin etc.

The issue with the credit card verification before trying the product is that as a user, I do not like that approach.

I want to try first and eventually pay. That is the experience I'd like to offer.

The best approach to credit cards, imho, is the Heroku one: you get a little bit of stuff no questions asked, but you get twice the free stuff if you validate a CC. This way, the user has an incentive to put a CC down even if she’s not going to pay right away, which is good in itself (because you can then leverage it by making it extra-easy to impulse-buy later, as well as improving the quality of your db).

For the record, I am one of those people using + as a tag, just so my username a bit different site by site but still easy enough to remember (yeah I use a password manager, but a little bit extra hygiene never hurt anyone). I’d be incredibly pissed off if sites started trying to be clever with it; I guess I could tolerate a duplicate detector, as long as it doesn’t stop me from signing up as soon as a + is detected.

If you see people abusing it, I would have a “hunting” routine and gently ask the worst offenders to shape up lest they get banned.

For max portability, you should not try to notice that these variants might be the same account.

The address extension is not always a + symbol.

The . in a Gmail user is a NOOP.

I treat them all as unique

This is one of my favorite tricks for testing web apps. The only downside is getting your inbox blown up when the company runs an email blast, but it's nothing a filter can't catch.

I think these patterns are generally negative for most ecommerce companies (you've priced too low, you're signing up tons of low-LTV customers at huge CPA, etc.) and good for SaaS companies that can solicit feedback or otherwise monetize their "frequent triers".

In GSuite it's also possible to redirect all unmatched addresses to some email address, e.g., invalid1@a.com, invalid2@a.com all go to valid@a.com

You should consider asking phone verification, or keep a credit card of file.

If you take up the suggestions here you will need to convince me that you are not abusing an important identifier and that you can protect my data.

My default answer for most sites is that I don't trust you with my phone number (e.g. Facebook using recovery phone as an undisclosed identifier) and certainly not my credit card number in some random database.

> You should consider asking phone verification, or keep a credit card of file.

This is absolutely terrible advice, unless 1) your site is a commerce site, and you actually need credit card information and/or phone number to do business, 2) you cannot use a payment system like paypal for transaction because you got banned for some reason, so you need to store CC info..

In any case, you actually do not need to store credit card information, because you are probably doing it wrong if you are suggesting random people on the internet also do the same on their websites without knowing anything else about what they do.


Any pointers on how to do that?

There are email providers other than gmail. In many of these systems, the “+” character indicates a truly distinct email rather than an alias.

Me too, I'd treat them as unique, even those some big companies aren't, most do, so I'd just go with the flow.

Just don't accept email addresses with a + in them.

Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact