This has nothing to do with avast. I have the same spam on a reserved email address that has never been used anywhere at avast.
The same complaint has been seen of late on several forums I use and people automatically think it MUST be the sites fault. Fact is spam can be sent to domains where no email account has ever been set up, I have 3 domains where the mail system has never been used, BOTS however are programmed to locate domains and find a usable name to forward their junk and crap is received.
I have my own domain, and specifically tag each email address I supply with the name of the party to whom I am supplying it. A "dictionary attack" spam (where they try many addresses at a given domain) wouldn't be likely to generate these specific strings that are ONLY provided to certain parties (forums or other accounts).
This has happened with even big-name companies - for example, I provided the Wall Street Journal and United Airlines with special tagged emails that only they had, and I received spam on them.
Happily, I have received spam on these tagged emails rarely, so they are likely instances of employees of the companies stealing the mailing lists, the companies themselves having an internal policy of selling them, or third party hackers getting hold of the user databases.
Man-in-the-middle attacks can happen (capturing packets, capturing routed emails, etc.), but I would be seeing a LOT more spam on these tagged emails if that were happening frequently, so I tend to hold the people I gave the email address to (eg. this forum, etc.) accountable for its lack of security.
- Tim