I get about four or five of these incidents a month.
I use unique addresses for EVERYTHING. I'm very careful to always press the buttons to NOT send me third-party email etc.
Yet four or five times a month, some email of mine that I've entrusted to a company will get spammed. It's not some evil conspiracy of PlusNet, but it only takes a single rogue employee with access to the database. Those kinds of things sell very well, you know.
Just this month:
securityfocus@ (likely a Usenet scrape)
PlusNet don't have my business any more, since the BT takeover, but I'm sure I wouldn't be surprised to see their name in there either.
Once had a guy from a company spam me to rm@ (I work in schools, RM are a major supplier for some places). When I dug into it, he was a former employee that had left the company to start his own selling IT furniture to schools... someone obviously decided to just walk off with the RM company database to start their own company with those contacts.
I complained, nothing much was done. Nothing much CAN be done. Once your address is out there, it's out there.
If you want to control it, buy the cheapest domain from the cheapest registrar, set up email forwarding (literally one click usually) and then start using firstname.lastname@example.org for everything. When one gets spammed, block anything sent To: that address in whatever account you forwarded it to.
Hell, I even write in the SMTP reject message why:
Recipient address rejected: Account has been spammed by the company given that email. All emails blocked.
Don't have just one email. Have an infinite number of throwaway ones.