I went through a phase of using unique usernames and a catch-all domain some years ago to see where spam came from. A surprising number of websites sold their details on, despite my always choosing no to that option. Somebody who cared enough could probably still raise a fuss under the DPA and breaches to their own T&C's; although I guess now if somebody challenged them they'd say "Oops, our database was hacked convenient_number_of_days_ago despite our best efforts; it must have been stolen then!" since little ever seems to be done about more serious personal data than just email addresses being compromised through lax security.
One that stuck in my mind was
parkers.co.uk - an address used there *once* was used in a phenominal amount of spam for many years.
Also of note was the amount of ratware that broke the username - either chopping a letter off the front or adding a superfluous letter - and then distributing that to further lists.
