How to Stop Getting Newsletters You Never Signed Up For

Short version: don't click "unsubscribe" on anything you don't recognize. That's the counter-intuitive part most guides skip. Then you work through the rest in a specific order: triage, filter, report, and (for anything new you sign up for) give out a different email address so this doesn't happen again.

The rest of this piece walks through each step, with specifics about which newsletters are safe to unsubscribe from, how to spot a subscription-bombing attack, and why Gmail's "unsubscribe" button is safer than the one inside the email itself.

Why the unsubscribe link is a trap (sometimes)

Spammers don't always want a response. Sometimes they just want confirmation that a live human opened the email. A click on "unsubscribe" tells them your address is real and someone is reading it, which makes it more valuable on the next list they sell. The link might also load a tracking pixel, drop a cookie, or redirect through an attacker-controlled domain before landing on a fake unsubscribe page that does nothing.

So the rule most sources quietly agree on: unsubscribe works for legitimate senders; it backfires on the rest. The hard part is telling which is which.

How to tell legit newsletters from spam-bait

A quick triage you can run on any unwanted newsletter, in about five seconds per message:

• Do you recognize the company? A newsletter from Nike, The New York Times, a bank you use. Probably legitimate, even if you don't remember subscribing. Unsubscribe normally.
• Does the "From" address match the brand's real domain? [email protected] is plausible; [email protected] isn't. Domain mismatches are a near-certain sign of spam or phishing.
• Did it arrive alone or in a burst? Five newsletters from five companies you've never heard of, all in the same hour, is an attack signal (more on subscription bombing below). A single newsletter from a random B2B SaaS is more likely to be address leakage.
• Is the content generic? "Industry insights," "Weekly digest," "Our latest updates" with no real company name in the body usually means the list was bought. Legitimate newsletters name themselves constantly.

If the newsletter passes the recognition + domain + tone test, it's safe to unsubscribe. If any of the three fails, don't click anything inside the email.

What to do with the legit ones you didn't sign up for

These usually aren't malicious. Your address probably leaked from a data breach or got sold through a third-party list, and the sender bought the list in good faith (or close enough). For these:

1. Use the unsubscribe link inside the email. It's legally required for commercial senders in most jurisdictions and it actually works.
2. If you're in Gmail, use the unsubscribe button next to the sender name instead of the link at the bottom. Gmail handles the request through List-Unsubscribe headers rather than visiting the sender's page, which skips the tracking pixel.
3. Mark as spam anyway if the sender is using shady tactics. Small or hidden unsubscribe text, a form that asks for your email again before unsubscribing, or a "we'll process your request in 10 days" delay. None of that is necessary and all of it is a sign the sender isn't trustworthy.
4. Block the sender if the unsubscribe fails. In Gmail, open the message → menu → Block "Sender Name." Future mail from that exact address goes straight to spam.

The goal isn't zero email. The goal is that the remaining senders are ones you actively benefit from hearing from.

What to do with the obviously spammy ones

Don't unsubscribe. Don't reply. Don't click anything in the email, including images (images can load tracking pixels too).

• Mark as spam. This trains your provider's filter and gets the sender flagged faster for everyone else.
• Block the sender if the same domain keeps slipping through.
• In Gmail, set a filter to auto-delete messages matching a pattern: sender domain, subject keyword, anything stable. Search for the sender, then use the "Filter messages like these" option in the search dropdown.
• If the flow is large and coordinated, suspect subscription bombing (next section).

This is slower than clicking unsubscribe, but it doesn't confirm your address to a spammer and it trains your filter at the same time.

If you're being subscription-bombed

Subscription bombing is a specific attack: someone signs your email up for hundreds or thousands of legitimate newsletters at once, usually to bury a single real email (a fraudulent-purchase confirmation, a password-reset notice, a suspicious-login alert) in a flood of noise. The idea is that by the time you dig through the pile, the attacker has already drained your account.

Signs you're being bombed:

• A sudden flood of legitimate-looking newsletter signup confirmations from unrelated companies, all arriving within a few hours.
• Most of them are in multiple languages, from multiple industries, with no pattern other than "someone used my address to sign up."
• Almost every message is a "thanks for subscribing" confirmation rather than a recurring newsletter (yet).

What to do, in order:

1. Check every financial account and email address you own for suspicious activity. That's the actual target. Change passwords on anything that matters. Turn on MFA if you haven't.
2. Run haveibeenpwned.com against your address to see if it surfaced in a recent breach that might have triggered this.
3. Don't try to unsubscribe from the flood individually. At scale it's impossible, and you'd be clicking hundreds of links in suspicious moments.
4. Use your provider's filtering. Gmail's "Filter messages like these" applied to common phrases ("confirm your subscription," "welcome to our newsletter") can mass-archive the flood to a folder for later triage.
5. Consider a temporary alternate inbox for the affected account's password-reset flow until the storm passes. You don't want the attacker's follow-up arriving at the same address.

Bombing campaigns usually taper off within 48–72 hours once the signup scripts finish running. The filter you set up lets you keep using your inbox during that window.

Stop it from happening again

You can't undo the leak that got your address on these lists. But you can keep future signups off your main inbox entirely. The pattern that actually works:

• Use your real email only for things you care about maintaining long-term. Bank, employer, primary cloud provider, people you know personally.
• Use a dedicated secondary address for everything else that will probably email you. Store accounts, loyalty programs, newsletters you deliberately subscribed to.
• Use a temporary email for everything one-off. The PDF download gate, the "enter your email to continue" form, the webinar registration, the free-tier signup you're only testing.

The third bucket is where SecondInbox lives. A disposable inbox for one-time signups means the next "thanks for subscribing" flood never reaches your real address in the first place, because the address you gave out no longer exists an hour later. Our write-up on using a temp email for newsletter signups covers the specifics, and the same pattern applies to free-tier service signups like Spotify where the marketing volume is high but the account itself is disposable.

For the newsletters that are already leaking into your main inbox, the triage from the earlier sections is the cleanup. The temp-email habit is what stops the next round.

A note on the "delete my data" route

Some sources recommend emailing the sender and invoking GDPR or CCPA to force removal from their list. This works in theory, and the legal backing is real if you're in a covered jurisdiction. In practice, for low-quality senders, your request goes into the same void as your unsubscribe click. Save the formal data-deletion request for senders you actually want to punish, not as a general-purpose tool for inbox cleanup.

You can't undo the leak. You can triage what's already coming in, avoid confirming your address to spammers, and stop adding new signups to the pile. The guide above, in order, is the fastest way to get there.