How Spammers Actually Get Your Email Address (And How to Stop Them)
Spam isn't random — it's a supply chain. Here's exactly how your address leaks, how to check if you're already exposed, and the defenses that genuinely work.
EvilMail TeamJuly 1, 202611 min read
# How Spammers Actually Get Your Email Address (And How to Stop Them)
You signed up for exactly one newsletter with a fresh address, told no one, and three weeks later you're getting pitched Bitcoin doublers and fake FedEx delivery notices. It feels like magic. It isn't. Email addresses leak through a small number of very predictable channels, and once yours is on one list, it propagates to dozens more within months.
I've spent enough time reading breach dumps, list-broker pitch decks, and mail server logs to tell you that spam isn't random. It's a supply chain. Understanding that supply chain is the difference between playing whack-a-mole with your spam folder forever and actually cutting off the flow. Let's walk through how addresses get harvested, how to check whether yours is already circulating, and which defenses genuinely work versus which are folklore.
The five ways your address actually escapes
Almost every spammed address got there through one of these routes. They're listed roughly in order of volume.
1. Data breaches
This is the big one. When a company you trusted gets popped, the attacker walks away with a database that usually includes your email, often a password hash, and frequently your name, phone, and physical address. That data doesn't sit idle. It's sold in bulk on forums, traded in "combo lists," and eventually ends up seeding spam and credential-stuffing campaigns.
The scale is hard to overstate. The "Collection #1" dump that surfaced in 2019 contained roughly 773 million unique email addresses. Individual breaches at LinkedIn, Adobe, Dropbox, and MyFitnessPal each leaked in the hundreds of millions. If you've had the same email for a decade, assume it's in multiple breach corpora right now.
2. Web scraping
Bots crawl the public web looking for anything shaped like [email protected]. If your address appears on a forum profile, a GitHub commit, a mailto: link on your personal site, a conference attendee list, a PDF someone uploaded, or a WHOIS record, a scraper will eventually find it. Scrapers are cheap to run and never stop.
A concrete example: put a plain-text address in the footer of a public web page and watch the logs. It typically starts receiving spam within days, no signup required. That's why the old trick of writing name [at] domain [dot] com existed — though modern scrapers parse that too.
3. List buying and "data enrichment"
There's an entire legal-ish industry that aggregates addresses from breaches, scrapes, loyalty programs, and "co-registration" partners, then sells them to marketers as targeted lists. When you tick a box agreeing to receive offers "from us and our partners," you may be feeding this machine. Some vendors call it lead generation; the effect is the same. Your address becomes a line item someone else profits from.
4. Malware and compromised contacts
You don't have to be the one who's infected. If a friend, coworker, or client gets malware that scrapes their address book, your address goes with it. This is why you sometimes get spam that seems to know a real contact of yours — the spammer harvested a mailbox where you both appeared. Info-stealer malware (RedLine, Raccoon, and their descendants) has made this route far larger over the past few years, because it grabs saved credentials and contact lists straight off victim machines.
5. Sign-up leaks and shady operators
Sometimes the company you gave your address to is the leak — not because they were breached, but because selling or "sharing" your data is their business model. Free apps, sketchy sweepstakes, and some browser extensions are notorious. You handed the address over voluntarily; they monetized it. This is the hardest category to detect, which is exactly why per-service addresses (more on that below) are so useful — they turn an invisible leak into a labeled one.
How to check whether you're already exposed
Before you fix anything, find out how bad it is.
Have I Been Pwned (haveibeenpwned.com) is the standard. Type your address and it tells you which known breaches contain it. It's run by security researcher Troy Hunt, it's free, and it doesn't store your searches in a way that endangers you. Check every address you use.
Turn on breach alerts. HIBP lets you subscribe an address so you get notified when it appears in a *future* breach. Do this for your important addresses.
Check your password manager's breach report. 1Password (Watchtower), Bitwarden, and others cross-reference your saved logins against breach data and flag reused or exposed passwords.
Read the headers when spam looks targeted. If spam references a specific service, that service (or a partner of theirs) likely leaked you. This is detective work, but it tells you where the hole is.
One caveat: absence from HIBP is not proof of safety. It only knows about breaches that became public. Plenty of leaked data never gets indexed anywhere searchable.
What actually works to stop the flow
Here's the uncomfortable truth: once an address is out, you can't recall it. Defense is about limiting *future* exposure and containing *existing* damage. These are the moves that measurably help.
Use a different address for every service
This is the single most effective habit, and almost nobody does it. If every site gets a unique address, three things become true:
1. A breach at one site can't be correlated with your accounts elsewhere. 2. You instantly know who leaked you, because the spam arrives *at the address you only gave that one company*. 3. You can kill a compromised address without touching your real inbox.
You have three practical ways to do this:
| Method | How it works | Best for | | --- | --- | --- | | Plus-addressing | [email protected] routes to [email protected] | Free, zero setup — but trivially strippable by spammers, and it still exposes your real address | | Alias services | A provider gives you unlimited real-looking aliases that forward to your inbox | Accounts you want to keep but might need to disconnect later | | Disposable / temporary addresses | A throwaway inbox for one-time signups you'll never revisit | Downloads, trials, forum registrations, "enter email to read" walls |
Plus-addressing is better than nothing, but treat it as tissue paper. Any competent list cleaner runs a regex to strip +tag before selling. It hides your address from a lazy human, not from software.
Alias services (addy.io, SimpleLogin, Apple's Hide My Email, Firefox Relay) generate addresses like [email protected] that reveal nothing about you and can be switched off individually. Use these for accounts you actually care about.
For the genuine throwaways — the coupon code, the one PDF, the wifi portal, the app you're 80% sure you'll delete — a disposable inbox is the right tool. This is exactly what a service like EvilMail is for: you get a working mailbox for as long as you need it, receive the confirmation link, and never expose your primary address at all. When the address gets sold to a spam list later (and it will), the spam lands in a mailbox you've already forgotten about instead of the inbox you read every morning.
Stop publishing your address in plain text
If you control a website, don't put a raw mailto: in the HTML. Use a contact form, an image, or JavaScript that assembles the address at runtime. This won't stop a determined scraper but it filters out the cheap, high-volume ones — and those are most of them.
Never click "unsubscribe" on obvious spam
Legitimate marketing email from a real company? Unsubscribe freely; it's legally required to work. But on clearly criminal spam — the pharma, the crypto, the fake invoices — that unsubscribe link is a *confirmation* that a human reads this mailbox. Clicking it makes your address *more* valuable, not less. Mark it as spam and move on.
Enable strong spam filtering and let it learn
Modern filters (Gmail's, Proton's, Fastmail's, a well-tuned SpamAssassin/Rspamd stack) genuinely work when you feed them signal. Marking spam as spam trains the filter. Rescuing false positives trains it too. A filter you actively correct for a month becomes dramatically better than a stock one.
Protect the addresses you can't rotate
Your primary personal and work addresses can't be thrown away, so they need real protection:
A unique, long password — never reused. Reuse is what turns a breach at a nobody website into a takeover of your email.
Two-factor authentication, ideally with an authenticator app or hardware key rather than SMS.
Breach monitoring turned on, so you find out the day something leaks.
How one leaked address becomes a hundred spam senders
It's worth understanding *why* a single leak snowballs, because it explains why cutting off new exposure matters so much more than fighting existing spam.
When your address lands in a breach dump, it doesn't get spammed by one operator. It gets *sold*, then resold, then bundled into "combo lists," then scraped back off the forums where those lists were posted. Each buyer runs their own campaigns and their own validation. A single leaked address routinely ends up on dozens of independent sender lists within a few months. That's why unsubscribing does nothing: there is no central list to leave.
There's also a validation economy running in the background. Spammers pay more for *verified* addresses — ones confirmed to be live and read by a human. Every time you open a tracked message, click a link, or reply, you upgrade your own address from "maybe real" to "definitely valuable," and its resale price goes up. This is the mechanical reason the advice "don't interact with spam" actually matters: interaction is the signal that keeps your address in premium circulation.
The practical takeaway is blunt. You cannot deflate the value of an address that's already out there — it will keep getting traded regardless of what you do. What you *can* do is make sure your *important* addresses never enter that economy in the first place, and route everything disposable to inboxes you're happy to let rot. Containment beats cleanup every time.
Myths that waste your time
A few widely repeated "defenses" don't do what people think.
"I'll just unsubscribe from everything." Doesn't stop harvesting, scraping, or breaches. It only manages mail from senders who honor unsubscribe requests — the ones who were never the real problem.
"Spammers can tell if I opened the email, so I'll never open them." Partly true — tracking pixels exist — but simply *receiving* mail already confirmed a deliverable address. Blocking remote images (default in most clients now) neutralizes most open-tracking anyway.
"A brand-new address is safe forever." Only until you use it. The moment you type it into a form, it's subject to every leak that form's owner is vulnerable to.
"Paying for email means no spam." Paid providers often have better filtering, but they can't stop your address from being leaked by a third party you gave it to. The address, not the mailbox provider, is what leaks.
"CAPTCHA on my contact form stops spam scraping." CAPTCHA stops automated *submissions*. It does nothing about a scraper reading the address off the page.
A realistic setup you can adopt this week
You don't need to overhaul your life. A tiered approach handles 95% of the problem:
1. One primary address for real, long-term relationships — bank, government, close contacts. Guard it like a password. Never type it into a form you don't fully trust. 2. Aliases for services you want to keep but might need to sever — shopping, subscriptions, apps. One alias per service so you can trace and cut leaks. 3. Disposable addresses for everything one-shot — trials, downloads, wifi portals, "sign up to see the price." Never let these touch your real inbox.
Layer that with unique passwords, 2FA on the accounts that matter, and breach alerts, and you've cut off most of the supply chain that ends in your spam folder. The spam won't vanish overnight — addresses already in circulation keep circulating — but the *new* flow slows to a trickle, and when something does leak, you'll know exactly which door it came through.
That last part is the real win. Spam stops being a mysterious force of nature and becomes what it actually is: a traceable consequence of specific decisions, each of which you can now make differently.