that's not exactly a difficult email address to guess, I would think that in this case (specifically this case) equifax would have a very good claim that it wasn't them that leaked it. If instead you had used a hash or something unguessable then you might have a case, but I could easily go and sign up to my favorite nigerian viagra supplier with all the usual suspects facebook@yourdomain.com, airbnb@yourdomain.com... and you'd go right on blaming the facebook, airbnb, etc.
This is a classic case of engineering a solution to a problem that doesn't exist.
The first question you have to ask your self is for what reason would anyone choose to do that? Shits-and-giggles and malice against me personally are about the only legitimate reasons someone would do that.
Spammers wouldn't want my dummy addresses in their list, and harvesters who sell emails to spammers wouldn't either because I could easily invalidate swaths of their lists by disabling my catch-all giving them a bad reputation.
I mainly do this to see how my email address gets around. If and when I contact a company about my email address receiving SPAM, I don't name and shame in any public capacity. Its of little consequence how they respond because the damage is done, its not like they can undo the SPAM.
Agreed--this is why I append a few random characters to the end of my catchalls when I set them up. Not a hash or anything, but the likelihood of someone guessing a few characters blindly hit on the keyboard is low.
