I suspect iContact.com has suffered a data security compromise.
Summary
I have received four nearly-identical spams to four different addresses known only to myself and four distinct websites. These four websites all use iContact.com for newsletter mailing. I have also received this spam to a spam-trap address, but importantly, to no other unique addresses that I use with other websites. The evidence points strongly to a data breach at iContact.com.
I bought a product from Photonlight in 2002, and have been on their mailing list ever since. I last received something from them on 30th December 2009. Alas, now I’m also receiving spam to the address previously only known to them.
This email was sent to an address I know the spammers have (it is listed on the Debian Consultants page). It is almost identical to several other spams I have been receiving to what I had considered to be private, unique addresses.
I give out different email addresses to different providers, mailing-lists and websites to see how what gets leaked. It’s partly a check on privacy policies, and partly a way to ensure I can blacklist emails efficiently. I’ve run various schemes with email addresses on my domain maz.nu over the last eleven years. Here is what I have found.
iana
Registered with IANA for a private enterprise number for OIDs, iana is listed on a public website. It gets a lot of junk. There are a number of variations, however, which also receive spam:
