The address is [the three letters this forum converts] @ mydomain.tld.
The sender is a legit publisher, not a company that would use viruses or hack into my server to steal addresses. Mail server logs show no traces of them trying addresses.
So I guess I must have broken my own policy: used the address somewhere else. It's just that I don't recall ever signing up with them or receiving mail from them.