1) The graphs are not presented in a way that makes them easy to consume. The font is too small, the bars are too densely combined, the axis labels are not descriptive enough ("percentage of emails posted"), and there is no discernible ordering of the bars (alphabetical, by value, etc). Presenting your data in an a way that is easy to consume is just as important as having worthwhile data to present, because a general audience like this isn't going to struggle to parse those plots, they are just going to move on.
2) Considering you are doing data analysis with Python, you should check out pandas (http://pandas.pydata.org/). It will not only make the data easier to work with, but it will do plotting for you with better defaults than you have chosen, and you will drastically cut down on having to write matplotlib code (a worthwhile benefit!).
It doesn't look like his Spam page has been updated in a long time (http://paulgraham.com/antispam.html), which reflects for me the quality of spam filters now compared to 2002-2005 when most of those essays were written. Incidentally, they're a great way to learn about Bayesian Filtering as well !
1. Hotel registration. I was asked for my email address when staying at a Hyatt for the BSides Conference in SF a while back. I didn't even think twice about providing my standard email address, and within a week, started receiving a lot of extra spam. I tracked some of it down to a company that has affiliations with hotel networks, so I'm pretty sure it came from the registration process.
2. Public wifi hotspots. On this one, I dunno when or where I absent-mindedly entered my email address, but again, followed some of the spam back to a marketing company affiliated with public hotspots. Bastards.
It's fairly persistent spam, and it's walking right past greylisting, SpamAssassin, and my usual filters for bad actors.
What else is really important is that we, as webmaster/web programmers, should be able to protect users' email addresses from being spammed away. Many people I know use catch-all emails while signing up for websites so they can see what site sent any spam. If a site did, the trust is abased.