[elmerfud]

Of course anyone could be monitoring SMTP that's not encrypted. It possibly could be your VPS provider but that would be quite obvious if they then started a dictionary attack against your accounts. Now on the other hand these service email addresses you're using for different places, keep in mind every place is terms of service says they can share your information with select partners. Or some verbage like that. That means that it could be any number of spam partners that they provide your addresses too, of which there's only a handful in the world. You may have unwittingly stumbled upon all of these entities using the same back end marketing partner service and that service has been compromised in some way.