[plagueboy]

People always use the myth/scape goat that the information was sniffed somewhere between the sender's email server and mine. This is an unlikely scenario.

As far as SMTP relaying, most outgoing email only passes through the sender's outgong email server which delivers the email directly (direct TCP connection) to the recipient's email server. However, if it did go through additional SMTP relays, one should be concerned if one's configuration is routing email through an SMTP relay that has been compromised or is just run by someone that you don't trust.

As far as sniffing the direct TCP connection between the outgoing email server and the recipient's email server, one can't simply put a sniffer on one of the Internet's backbone routers. Any sniffing is likely occuring on the sender's network or the recipient's network, before it reaches the Internet backbone. You should be concerned if someone is running a sniffer on your outgoing email server's network.

People are always concerned about having that "lock" symbol, the one that indicates they're using SSL encryption so that their personal information can't be "sniffed". Most information security problems occur because of poor security when the information is stored or retransmitted.

As far as this merchant is concerned, they use a third party managed web/email host, a third party managed shopping cart, and shared my email address with UPS. Additionaly, they have at least one workstation that had my information on it. Definitely a lot of links in the information security chain.