The problem may not be that your e-mail was harvested from or sold by one of the communities you've used it to sign up for. Sending an e-mail is, for all intents and purposes, free and so an enormous number of e-mails can be sent for mere pennies. This allows spammers to simply fire off e-mails to any number of addresses at once, without regard to whether the addresses all exist. Once they pick a domain (and .edu domains are good targets since in many cases every student (and, like you, alumni) usually has there own account, often with predictable names (for example John Smith might be firstname.lastname@example.org.) Many e-mail transfer agents will "bounce" an invalidly addressed e-mail back to the sender, which the spammers can use to clear out invalid addresses from their list.
On the other hand, it's by no means impossible that one of the communities you've signed up for has leaked your e-mail address, either intentionally or not. Many online communities share their members' info, or part of it, with third parties such as advertisers or corporate affiliates. These advertisers and affiliates may leak the info to their affiliates, and so forth. Any one of these entities might have sold or have stolen their database of user information.
To put it simply: it's generally not practical to track down from where a particular spammer acquired your address.
One solution available in some e-mail services (notably GMail) is the ability to tack on arbitrary information to your e-mail address and still have it arrive in your inbox. This extra info takes the form of youractualaccountname+somedata
@gmail.com. The plus sign (+) and everything after it to the @ sign are ignored for the purposes of addressing a particular account but can be used to identify the source of the e-mail. For example, if you had the address email@example.com and you wanted to sign up at example.com, you could supply this as your e-mail address: firstname.lastname@example.org
. All e-mails sent to that address would arrive in your inbox (or spam folder) just like any other message, but you would be able to see that the specific address you gave to example.com was used. Thus, if a spam arrives addressed to email@example.com from anyone else but example.com, you would know from where the spammer got your address.
And lastly, if the To: field of an e-mail is blank it generally means that only the BCC
: field was specified, which allows the sender to send the e-mail to many addresses without revealing those addresses to every recipient.
Edited by Andrew, 05 November 2011 - 03:35 PM.