Where do spammers get my email address?

Five main sources: data breaches (huge corpora of leaked emails circulate freely), web scraping by email harvesters that crawl mailto links, sign-up forms with sold lists ("we may share your info with partners"), guessing common patterns (firstname.lastname@bigcompany.com), and address-completion probes against mail servers that helpfully reveal which addresses exist. Once an address is on a spammer's list, it typically gets resold across networks within weeks.

Spam

Also known as: Unsolicited bulk email, UBE

Unsolicited bulk messaging — email, SMS, comments, or DMs — sent to large recipient lists for advertising, fraud, or malware delivery.

Last updated: April 21, 2026

What is spam?

Spam is unsolicited bulk messaging pushed out to recipients who have no pre-existing relationship with the sender. The term started as internet slang for unwanted email (reportedly from the Monty Python sketch) and now covers SMS spam, comment spam, DM spam, and any other channel that lets a sender reach many recipients cheaply. The economics are simple: sending costs almost nothing, so even a 0.001% response rate on hundreds of millions of messages can be profitable.

What spam is used for

Product advertising — pharmaceutical, counterfeit goods, pump-and-dump stock schemes
Phishing — credential capture or wire-fraud pretexts
Malware delivery — weaponized attachments or links to exploit kits
SEO link manipulation — links dropped into blog comments, forums, and guestbooks to boost a third-party site's ranking (see comment spam)
Account-farming confirmations — hundreds of fake signups to fresh services to build a reputation base

How spam is delivered at scale

Historically, spam was sent from the attacker's own SMTP relays. Today it's dispersed across a botnet, thousands of compromised mail servers, hijacked cloud SMTP accounts, or — for the "clean" commercial end — email-service-provider accounts bought with stolen cards. The sender list itself usually comes from an email harvester crawl or a breach dump.

Anti-spam infrastructure

Modern email defense stacks SPF, DKIM, DMARC, content filtering, reputation scoring (SenderScore, Talos, Spamhaus), and per-recipient machine-learning classifiers. Most high-volume spam is rejected at the SMTP handshake before the message is even accepted. Source IPs on spam runs are rapidly flagged — running them through an IP abuse report checker usually returns heavy prior reporting.

Frequently Asked Questions

Spam is unsolicited bulk messaging — usually advertising, scams, or low-quality content sent to large lists. Phishing is a specific type of attack that impersonates a trusted sender to trick the victim into giving up credentials, money, or sensitive data. All phishing is unsolicited (so technically a subset of spam), but most spam is not phishing — it is just unwanted advertising. Phishing is criminal; bulk advertising spam may or may not be, depending on the jurisdiction and consent rules.

Because the marginal cost of sending one more spam message is essentially zero, while every successful conversion (a sale, a stolen credential, an installed malware sample) is worth real money. Modern spam filters block over 99% of attempts, but sending volume is in the trillions per year — even fractions of a percent leaking through still produce massive recipient exposure. The economics only break when the conversion value drops to zero or send infrastructure costs rise sharply.

In most jurisdictions, yes — though enforcement varies. The US CAN-SPAM Act (2003) requires opt-out, accurate sender identification, and a physical address; non-compliance carries fines up to $50,120 per email. The EU GDPR and ePrivacy Directive require prior opt-in consent for marketing email. The UK PECR is similar. Pure fraud spam (phishing, malware delivery) is criminal under wire-fraud and computer-misuse statutes everywhere. Enforcement is hardest when senders operate from jurisdictions that do not cooperate.

Modern spam filters layer multiple signals: sender IP reputation (Spamhaus, SenderScore, Talos), authentication (SPF/DKIM/DMARC pass/fail), domain age and history, content patterns matched by Bayesian filters and machine learning classifiers, header analysis (forged or inconsistent fields), and per-recipient engagement (open and reply rates as quality signals). Most high-volume spam is rejected at the SMTP handshake before the message body is even accepted, based on the sender IP alone.

Five main sources: data breaches (huge corpora of leaked emails circulate freely), web scraping by email harvesters that crawl mailto links, sign-up forms with sold lists ("we may share your info with partners"), guessing common patterns ([email protected]), and address-completion probes against mail servers that helpfully reveal which addresses exist. Once an address is on a spammer's list, it typically gets resold across networks within weeks.

Back to glossary