Here is my response to the PPA answer I received earlier today. I think I'm being pretty reasonable.
I find your response unsatisfying.
Please allow me to outline my technical background. I am a computer industry professional with two decades of experience, including over a decade as an internet professional. I have worn many hats during my career, but the one that is most relevant to this discussion is my stint as Director of Operations for Yesmail. During this time, I was responsible for all data center operations of a leading email marketing company, and I was responsible for both the delivery of email, and the security of the data center.
I have also been an avid anti-spam activist for many years, and I am well-versed in the methods that spammers use to obtain addresses. I keep constant vigilance over access to my personal domains, including daily monitoring of all spam attempts on my servers.
Your statement that passing ScanAlert's test "means that there are no security holes for spammers" indicates a complete misunderstanding of computer security and security audits. Passing a security audit means that any obvious, known holes have been closed, but it is far from a guarantee of safety. New security exploits are being developed on a daily basis, and it is impossible to stay ahead of all of them.
However, I know from experience that the majority of security exploits are inside jobs, where someone inside the organization utilizes their privileged access to the database for personal gain. Because of that, standard security processes for sites with confidential data include highly-restricted access to that data, as well as complete audit logging of all accesses to protected data.
Are your backups safe? How many of your employees have database accesss? Have any contractors had access to the database? How about data center personnel? Test servers? Is it possible that someone took a dump of the database when they were not being monitored?
I understand that the casino spam I'm getting is quite prevalent on the internet right now. However, what I do not understand is how that spam was sent specifically to the PPA email address I use, unless there was a security breach of some sort on the PPA's end.