Hi TJ,
In order to operate effective anti-spam measures to deal with this, data controllers/processors would need to retain some PII. That retention would likely come under the heading of 'needed to operate the service'.
That's the issue I've been wondering about WRT lug.org.uk's Mailman provision. There's also Mailman's variables like `accept_these_nonmembers' that build up email addresses over time.
Hashing the identity items individually (email address, nick-name, real-name, telephone, etc.) would mean the anti-spam data was anonymous.
Not if it's easy enough to hash all likely telephone numbers and check by brute force? Or determine if foo@bar.xyzzy in particuar is there?