I am now getting spam to a email address that I have never publically released. I suppose that it is conceivable that a spammer randomly put together an email based on a domain name. But they have millions of email ids already. I doubt that they would take each doman and brute force search them for new ids?

Another possibility is that I have sent email to this private id and some SMTP server along that route has been comprimised and is logging email addresses.

Or perhaps, my mail system is forwarding all non-valid ids to this primary id. Sigh. This is another problem to investigate. I wish this thing was install once and forget.