Comment by alexfoo
Clever spammers (there are some!) see the presence of company@<domain> and assume the user will have similar emails for other accounts, so it might be worth trying ebays scams to ebay@<domain> or banking scams to chase@<domain> or boa@<domain>. Sending is cheap so why not, you're not trying to fool everyone, only a few.
I use a unique string per company but it's not guessable in advance, but it's obvious when looking at it and squinting a bit, for example (and these are not the exact ones I use): sundclod@<domain> or ebuy@<domain> or amzoon@<domain>
Sure I have to remember them but it's easy for me to check and my password manager is filling them in for me 99.99% of the time.
I can filter on those emails instead, and I also know that anything coming to soundcloud@<domain> or ebay@<domain> or amazon@<domain> is definitely spam as I've never used those addresses myself.
If sundclod@<domain> appears in a leak I can (hopefully) change my account email at Soundcloud to sondclud@<domain> and then confine sundclod@<domain> to /dev/null
I have three different generations of email addresses associated with United Airlines that all receive spam. Never any disclosed breaches AFAIK, but clearly email addresses got out at several points. At some point I stopped bothering to check.
As for Soundcloud, the password I had saved for it and a tiny bit of profile information tells me a lot - a manually created password saved into a password manager, probably in 2010 or 2011 and unused after grabbing a single track.
Addresses for services I actually care about also get what's basically peppering, and have all had updates much more recently than the days of Blackberry devices.