What to Do When Company Breaks Privacy Agreement?

Mustang Matt asks: "Earlier this month, I caught ALXNet redhanded in breaking their own agreement in their privacy disclaimer. I've started generating unique email addresses for use in signups that are formed like [domain]@mydomain.com. [ C :"mydomain.com" is just used as an example, here] I just received spam to alxnet@mydomain.com, and here's the kicker: what I received was not even from ALXNet! It was filled with forged headers regarding an online trading newsletter, and this address has never been used anywhere else other than their signup. How can I hold them accountable? All I've done so far is asked Yahoo to close the account they are using." What, if anything, can be done about companies that pay lip service to their privacy agreements? For those SPAM busters out there, an example of the SPAM's headers is included, below. SPAM with full headers:

Return-Path: directaccessus@yahoo.com

Received: from yourwebsite.com (66-108-136-65.nyc.rr.com [66.108.136.65])
by linux.thoughtprocess.net (8.11.0/8.11.2/SuSE Linux 8.11.1-0.5) with SMTP id fB7M8Dv07978
for alxnet@mydomain.com; Fri, 7 Dec 2001 16:08:13 -0600
Message-Id: 200112072208.fB7M8Dv07978@linux.thoughtprocess.net
X-Authentication-Warning: linux.thoughtprocess.net: Host 66-108-136-65.nyc.rr.com [66.108.136.65] claimed to be yourwebsite.com
Reply-To: directaccessus@yahoo.com
From: directaccessus@yahoo.com
To: alxnet@mydomain.com
Subject: Trading Newsletter
Sender: directaccessus@yahoo.com
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Date: Fri, 7 Dec 2001 17:12:38 -0500
X-UIDL: 6cadc61cbcf01cac2a66f167c5416863