Is that dropbox@domain.com email listed on any of your phone contacts? Ever had a virus on a machine that has sent or received an email from that account? How many people know that account exists? Only one of them needs to have a careless attitude about permissions.
See, the problem with that email address (dropbox@example.com) is that it tells me that I can try amazon@example.com, paypal@example.com. So, if I get access to an email for somerandomsite@example.com, trying these others is fairly trivial. It takes no time to suddenly generate an effective list of emails to try.
The point being, using a pattern is easy to discover. Even if that pattern is a random set of characters.
Would spammers email this? Yes. Why? Because they bought an email list that someone generated using this method.
Not saying this is what happened here, but if you've entered in emails on a site, you open yourself up.
Nope. I didn't use dropbox@mydomain but another string that was not guessable.
And how is a random pattern easy to discover? Quite coincidental that of the hundreds of addresses, just the three that are used for Dropbox are receiving spam in the past few days.
The spam I'm receiving is the kind of spam that you attempt to send to a non-tech audience (obvious phishing is obvious). The addresses were harvested, not carefully picked by looking at other addresses I used with my domain. The word "dropbox" is not even in the spammed addresses; they were school addresses. I never publicly mentioned I even went to that school. It are also three variants on the school's name, incredible that they picked just these three to spam.
