I've been using a catch-all domain with unique addresses (example: ycombinator@mydomain) for every service/site/etc. for more than 10 years.
Surprisingly, none of these email addresses have gotten spam, outside of what the original service sends.
As someone else mentioned, most of the spam I received comes from people with the same name as me. I was an early gmail adopter and my gmail is my firstnamelastname@gmail. I get spam, people's rental agreements, dating profile information, mortgage closing papers, etc for people with my name from across the country. There is someone who has been convinced they can create a gmail with my firstname.lastmail@gmail who has signed up my account for facebook, netflix, and espn+. This is much more of a problem for me.
My early adopter short gmail address has a similar issue. With password reset by email, it seems like a really bad idea to use it for your bank account, amazon, etc. when I can just reset your password and login.
Also have been using catch-all with companyname@myrealname.com since 2007 and haven't had any significant problems with spam except for a brief period when a baseball player with the same name was in the news.
Password reset and cancel those accounts. Those companies aren't doing due diligence with verifying email. You don't want someone else's commercial activity linked to your identity.
The most interesting site I've pw reset and cancelled so far has been my name-sake's dating account on bigblackbeautifulsingles. He had quite a few matches.
My father has encountered this a fair bit. He was able to get a one of the most prolific incorrect email address users to realize their mistake when they used his email address while purchasing a house in England and he was able to contact the realtor to get back to the person misusing the address and correct the email address.
There's still someone who has emirates frequent flier miles associated with his email address that they can't use (they've forgotten the password to the account and it keeps sending the email to him - but without enough information for him to either respond back or identify the account to have it corrected).
On a similar note, I was also an early Cash App adopter and my username is my firstnamelastinitial (something like JohnS). Increasingly, over the last few years, I've been receiving unsolicited money, almost $800 to date. I used to received much more spam requests.
I ask the senders to "request a refund" but surprisingly, they never do. I guess that's one benefit of having a common username on a service.
Surprisingly, none of these email addresses have gotten spam, outside of what the original service sends.
As someone else mentioned, most of the spam I received comes from people with the same name as me. I was an early gmail adopter and my gmail is my firstnamelastname@gmail. I get spam, people's rental agreements, dating profile information, mortgage closing papers, etc for people with my name from across the country. There is someone who has been convinced they can create a gmail with my firstname.lastmail@gmail who has signed up my account for facebook, netflix, and espn+. This is much more of a problem for me.