Most spam doesn't reach you because a spammer guessed your address. It reaches you because something leaked it: a database, a public page, a tracker, or you, once, clicking a link you shouldn't have. If you've ever asked how do spammers get my email address, the honest answer is that there are about nine common routes, and most of your current spam can be traced back to one or two of them.
Below is the full list, ranked roughly by how often each one matters in practice. The first two account for the majority of the spam most inboxes see. The rest fill in the tail.
1. Data breaches (the dominant source)
A company you signed up for three years ago — could be LinkedIn, Yahoo, Dropbox, a hotel chain, a forum you forgot you joined — gets breached. The dump hits a dark-web market within weeks. Your address, the hashed or plaintext password, sometimes your phone number and birthday too, all sit in a CSV that sells for the price of a coffee. That's how most spam starts.
Have I Been Pwned has tracked more than 13 billion leaked accounts across thousands of breaches, and researchers estimate the average active email address has appeared in four to six separate dumps. The math here is unfriendly: once an address has leaked, it keeps leaking. Every new dump cross-references the old ones, and every list seller enriches what they already have.
Check yours at haveibeenpwned.com. If it shows up, you can't un-leak it. The list is out there. What you can do is stop adding fresh exposure to the pile.
2. Data brokers and list sellers
Some of what looks like a leak is actually a legal sale. Data brokers compile profiles on people from public records, purchase histories, newsletter signups, and "free" apps that collect email in exchange for a service. They sell the lists, sometimes to marketers, sometimes to thinly-disguised spammers using a marketer's paperwork.
The CAN-SPAM Act in the U.S. technically restricts how marketers buy and use email lists, but enforcement is weak and the international angle makes it weaker still. A list seller based overseas can sell to an American-addressed spammer with no practical consequence. Europe's GDPR is stricter on paper; in practice the same pipelines exist.
If you've ever entered your email to download a whitepaper, enter a contest, claim a coupon, or join a "community," there's a decent chance that address got rolled into a broker's pipeline within 90 days. You didn't give them permission directly. The site you signed up for did, in a privacy policy you didn't read.
3. Web scraping
Bots crawl the public web looking for anything shaped like an email address: [email protected]. Scraped surfaces include forum profiles, GitHub commit history (every commit embeds your git-config email), resume PDFs hosted on personal sites, academic paper bylines, real-estate listings, business directories, and the "contact us" pages of any small business that posts a direct address.
Obfuscation tricks like writing "name [at] domain [dot] com," using an image of the address, or rendering it with JavaScript help against cheap scrapers and do very little against a good one. Modern scraping stacks render the page in a headless browser and apply trivial normalization. If your address is ever displayed to a human on a public page, treat it as scraped.
The most-scraped surfaces most people forget: GitHub commit email, academic repositories, old WordPress author pages, stale LinkedIn scraping dumps that keep circulating, and archived versions of pages you deleted years ago. The archive never forgets.
4. Address guessing
Mass spammers run dictionary attacks against common email formats: [email protected], [email protected], [email protected]. If you have a short or common name at a major provider, your address will receive spam even if you've never shared it anywhere, simply because it exists and is guessable.
They confirm hits with a bounce check or a one-pixel tracking image in the first message. Any inbox that doesn't bounce, or any message that loads images automatically, flags the address as live and worth emailing again. Gmail and iCloud strip most tracking pixels now, but not all. And not every spammer sends through infrastructure that Gmail bothers to filter.
5. Phishing that confirms you're real
The cheapest way to verify an address is active is to send you something that asks for action. Phishing messages are one vehicle; the "unsubscribe" link in spam is another. Clicking either tells the sender two things: the address is real, and there's a person reading it. That address now sells for more.
The standard advice of "just unsubscribe" is wrong for messages from senders you didn't subscribe to. Unsubscribe works for legitimate companies. For spam, it's a confirmation ping. The right action is to mark the message as spam in your email client and move on. If the sender is legitimate and you unsubscribed legitimately, they'll stop. If they don't stop, they weren't legitimate.
6. Retargeting and identity-resolution vendors
A subtler one. Some ad networks and retargeting providers link your web activity to your email address through their relationships with publishers and e-commerce sites. If you've ever entered your email to one site and then visited another site running the same tracker, those parties know the connection. That graph gets resold to advertisers and, at the edges, to spammers operating under advertiser accounts.
The companies doing this usually call themselves "identity resolution" vendors. Names like LiveRamp, Epsilon, and Acxiom sit between publishers and advertisers and keep databases that tie email to web activity. The practice is legal in the U.S. It's more restricted in the EU but not absent, and it's one of the reasons a freshly-created email address can start receiving targeted spam within weeks of being used on more than one site.
7. Compromised contacts' address books
Spammers don't only harvest addresses. Sometimes they get access. When a friend, coworker, or family member's computer is compromised by infostealer malware, phished credentials, or a forgotten old PC, their address book often comes with the payload. Every contact in that book is now on a list somewhere.
You notice this when you start getting spam that spoofs someone you know. The display name looks right; the address in the header is subtly off. That's usually the tell that your address escaped through a third party's compromise, not your own.
8. Fake verification emails
Some spam arrives looking like a legitimate verification email: "Hi, you signed up for [service]. Please confirm." You didn't sign up, so you click "this wasn't me" or "cancel subscription" — and the spammer has now confirmed that the address is active and the owner is engaged enough to react.
Legitimate services don't usually route "this wasn't me" through an external page. If you get a verification email for an account you didn't create, ignore it. The account will expire on its own when you don't confirm. Clicking anything inside that message is how a cold address becomes a warm one.
9. You posted it publicly
The cheapest source is you. Email addresses posted on personal websites, in forum signatures, on LinkedIn profiles, in GitHub READMEs, in public résumés, in marketplace listings, and on old blog posts where you wrote "contact me at…". Scraping every one of those is a single afternoon for anyone with a Python script.
This isn't a moral failing. Most of us have put an address somewhere public at some point. But the practical effect is the same as any other leak. Once an address is posted, the scraping happens in the background forever. The only mitigation is to move on to a different primary address for anything public-facing, and leave the old one to rot.
What you can do about it
You can't erase yourself from the lists you're already on. You can stop feeding the next round.
- Stop using your primary address for new signups. Use a disposable address for anything you don't plan to keep long-term: newsletter gates, free trials, one-off downloads, dodgy-looking giveaways. SecondInbox gives you one in a click, no registration required.
- Check Have I Been Pwned once a year. If you show up in new breaches, rotate the password on those accounts. Don't just delete the accounts; the breach data already exists.
- Don't click "unsubscribe" in unfamiliar spam. Mark as spam instead. Your email client learns, and you don't confirm the address to the sender.
- Remove your email from public profiles where it doesn't need to be. GitHub commit email (set a noreply alias in git config), forum signatures, old WordPress author pages.
- Plus-addressing (
[email protected]) helps you filter but doesn't really protect you. Most spammers strip plus-tags before use. Treat it as an organizing tool, not a defense.
None of these are perfect on their own. The point is layered defense. The less fresh fuel you give the lists, the slower the inbox problem compounds.
Usually not. Have I Been Pwned tells you which known breach your email appeared in, but it rarely tells you which company originally sold or leaked the data before the breach. The data moves through too many hands.
For a while. Starting fresh resets you to zero on the lists. If you use the new address the same way — public signups, newsletter downloads, free trials with your real inbox — you'll be back to current levels within one to two years.
No single mechanism exists. In the EU, GDPR Article 17 gives you a right to erasure against any specific company you contact, but that's one at a time, and only catches companies with EU legal presence. In the U.S., state laws like California's CCPA offer limited versions. There's no global "opt out" button.
Yes, for the right use case. A disposable address for signups you don't need long-term means that address, not your real one, ends up on broker lists when the site inevitably sells or leaks its database. Your primary inbox stays quiet.
The take
Every address gets scraped, sold, or leaked eventually. That's the steady state of the internet in 2026. The question isn't whether to prevent it for the rest of your life. It's how to keep the blast radius small.
Use a disposable address for anything you don't need to keep. Keep your real inbox for banking, close contacts, and accounts you'd care about recovering. When the next breach hits, and it will, you'll lose the inbox that doesn't matter.
