> How would they find out the listnames if the lists are confidential?

   They may be confidential but the addresses are not secret if
mail ever goes out to the list.
   If the mail was generated by one of the virus/worms (klez,
etc.) then it might have been "harvested" out of an infected machine's
address books and e-mail "folders". The monitor report in this case is
often due to a "submitted to editor" or other process report that
bounces. All it takes is one of our subscribers getting infected
and the address will be used in the From: (a dead give away) or To:
address.
   I think spammers probably also harvest e-mail addresses from
web pages.