I don’t think there is a standard practice on how to handle this, other than not allowing + all together. On the other hand, preventing it doesn’t seem to be that useful. It won’t take more than a few minutes to create an entirely new e-mail address on some free service if whoever you’re intending to block-out really needs it.

It should also be noted that a lot of other e-mail providers also provide subaddressing, but not using the plus sign, but with a hyphen (Yahoo, Runbox, etc.), and attempting to block this out will only cause trouble for anybody just having an e-mail address with a hyphen in it. It’s a war that you’ve already lost.

Besides, if you filter out plus signs, you’re essentially not compliant with the RFC3696 standard anymore:

The exact rule is that any ASCII character, including control
characters, may appear quoted, or in a quoted string. […]

Without quotes, local-parts may consist of any combination of
alphabetic characters, digits, or any of the special characters

! # $ % & ' * + - / = ?  ^ _ ` . { | } ~

But you could just strip out the plus part if you insist.

$emails = array('bob@gmail.com','bob+1@gmail.com','bob+hello@gmail.com');

foreach ($emails as &$email)
{
    list($identifier, $domain) = explode('@',$email);
    list($name) = explode('+',$identifier);
    $email = $name."@".$domain;
}
    
print_r($emails);

The above will give you

Array
(
    [0] => bob@gmail.com
    [1] => bob@gmail.com
    [2] => bob@gmail.com
)