I'm not sure how the spammers get the email addresses. For some of the sites, I receive no other emails except for those directly related to the service. So, I don't think the sites are selling the addresses to marketers in general. It might be internal employees harvesting and selling the info for extra money. It might be hackers. It might be those same things, but at some third-party mailing list management company.
I've tried contacting a few of the companies. I typically don't hear back from them. It's likely their customer service has no idea what to do with the information. Some of the companies probably don't have dedicated network security staff that can investigate. Many probably don't understand how I'm using email addresses in this way. I've been asked if I'm an employee because they saw their company name in part of the email address, but it was before the @ instead of after, which makes a huge difference technically.
So, this will be a running list of companies, web sites, and services that have somehow passed my email address to spam/malware emailers:
- bitly.com URL shortener service. Site was hacked in 2014
- Atterberry Auction - auction company in Columbia MO. Created an online bidder account.
- Longevity - welders. I sent a question to their customer service dept via their web site.
- Equifax - two different addresses from the free annual credit reports they are required to provide. I'm still getting spam often, but the email addresses are ones I used a few years ago -- nothing recent.
- zoneedit.com - I saved some off from a few years ago. I haven't noticed anything recent.
- AOPA (Aircraft Owners and Pilots Association) - A few years ago, nothing recent
- Zappos (two different email addresses)
- Dropbox - This could be from some other app or site I gave access to my dropbox profile.
- CMP Technology, formerly CMP Media. Published Infoweek magazine. An email address that I gave them in 2008 is receiving spam with virus attachments.