Also, how you can track who let spammers get your address!
I have my own domain which I use for signing up to various websites. My registrar [and many others] allow me to have a "catch-all" so any mail sent to my domain is forwarded to my regular address. When I join a website, I use the name of the site in the address like this example:
So, if I get mail to that address, I can easily filter it into my 'Instructables' folder, and also see if spammers have gotten it. I never use it anywhere else, and I can't even send mail from it, so only one website even knows the address.
Yesterday, the spam [Re4plica Wat4ches Nice Gift] started to my unique instructables address.
This has happened with other websites [vox.com, for instance], and I have informed them, usually to a mute silence. Sometimes, they claim it was a dictionary attack and that spammers are just jamming random words and phrases onto domains and sending those.
Maybe, sometimes, they are right. Maybe some spammer has "instructables" in his dictionary and just tried it out on my personal domain. Maybe not!
I also got spam from 3 forged addresses [so far]:
I went to the "forgot my info" page, and entered those addresses. All are valid here. I tried a randomly typed address, and was informed it was invalid.
This is a security design mistake, it should silently fail instead.
Now, if this had been a dictionary attack, I can certainly imagine the evil, but not stupid, spammers already know my technique, and might try 'firstname.lastname@example.org' or 'instructables.com@..." but the chances of guessing "instructables.kz8" and have it just happen to be a valid Instructables community member are practically nonexistent.