I created an account for perl-cpan and it got hit with spam/phishing attempts in less than a week.
There's not a lot that can be done about it. It's a losing battle to try and fight. There are some things you can do, but it won't be 100% effective. The closer you get to 100% effective, the more likely you are to throw the baby out with the bathwater.
I started using dedicated addresses a few years ago. Anytime I sign up for something, I use an address dedicated for that purpose. Then, when I start seeing spam patterns, I know where the address was used. In the case of mailing lists, there's not much to hide. However, when you sign up for something with a legit store, and then 2 or 3 months later you start getting bombarded with spam having nothing to do with that store -- it's a pretty safe bet where the spammer got your address (unless you use a very easy to guess address like a simple first name or something).
The other problem is dictionary attacks. There are distributed networks of bots that do nothing except try a dictionary of names against your mailserver. You can see how coordinated they are when you are getting dictionary scans from IP addresses all over the globe, starting with A, and not overlapping words. They are getting more devious too. I found one that had a bug in their tool so it was obvious the connections were linked and they overlapped names every so often (unless it was a single bot net running two separate lists, which is also possible).