either their servers are insecure, there is a rogue member with server access, or these dedicated e-mails are being harvested via the spam algorithm that generates addresses for domain names using a dictionary or other process, based on the tendency of users to choose machine-predictable usernames. my assumption would be the latter.