Why am I suddenly getting spam emails? Causes and fixes
2026-06-23
Your inbox was quiet for years, and now it fills up with fake invoices, miracle pills and "urgent account notices" every morning. Spam that starts suddenly is not bad luck — it is a symptom. Somewhere, recently, your address moved from a database you trusted into one you don't, and from there it spreads fast. This article walks through the five ways that happens, how to figure out which one hit you, and what actually stops the flood.
The five ways your address gets out
Almost every sudden spam wave traces back to one of these events:
- A signup shared or sold your address. You gave your email to a shop, a giveaway, a coupon site or an app, and its privacy policy quietly allowed sharing with "selected partners." One form, ten new senders.
- A data breach. A service you use was hacked and its user database — including your address — was dumped or sold online. Breached lists circulate in spammer circles for years.
- Scraping. Bots crawl websites, forums, comment sections and social profiles around the clock, harvesting anything that looks like an email address. If your address appears in public HTML anywhere, assume it has been collected.
- Dictionary attacks. Spammers don't always need to find your address — they guess it. Common patterns like john.smith@, info@ or firstname@ at big providers get blasted blindly. Short, common addresses receive spam without ever leaking.
- List trading. Once your address is on one spam list, it gets verified, packaged and resold to other spammers. This is why one leak snowballs: the first wave is the leak itself, every wave after that is the resale market.
How to diagnose which one it was
You usually can't get a confession, but the evidence narrows it down. First, check the recipient line of the spam. If you use plus addressing or aliases and the spam arrives at name+shopname@, the culprit has literally signed its work — one of the alias tricks worth setting up for exactly this reason. Second, check the timing: spam that starts days after a specific signup points at that signup. Third, run your address through Have I Been Pwned; if it appears in a recent breach, that is your likely source, and our guide on what to do after a data breach covers the full response. Finally, look at the greeting: spam that knows your name came from a database with your name in it, while spam addressed to no one in particular is consistent with scraping or a dictionary attack.
Why it gets worse instead of better
Spam volume rarely stays flat, because spammers actively verify their lists. Every opened message with remote images, every clicked link — including fake "unsubscribe" links — signals that a human reads this inbox. Verified-active addresses are worth more and get sold onward at a premium. That is why the single most damaging reaction to spam is engaging with it, and why marking spam instead of unsubscribing matters so much: the goal is to look dead to the people testing your address.
How to stop the bleeding
- Stop interacting with the spam. Don't open what you can identify from the subject line, don't load remote images, never click links. Mark as spam and move on — your filter learns, and you stop confirming the address is alive.
- Change the password of any breached account. If Have I Been Pwned showed a hit, assume the password leaked with the address. Make it unique this time.
- Filter what you can identify. If plus addressing exposed the leaker, block that variant with one rule. Otherwise, filter recurring senders and subjects straight to junk.
- Unsubscribe only from senders you recognize. A newsletter you genuinely signed up for will honor an unsubscribe. Everything else gets the spam button.
- Stop feeding new databases. Every additional signup with your real address is a future leak. For one-time signups, downloads and trials, use a free disposable address that self-destructs after 10 minutes — whatever list it lands on points at nothing.
Accept what you can't undo
Here is the honest part: an address that is circulating on spam lists cannot be pulled back. There is no opt-out from the resale market. What you control is the trend line — a well-trained filter plus zero engagement makes existing spam manageable, and address hygiene prevents the next wave. The broader playbook is in our guide to avoiding spam; if the address is truly beyond saving, it also covers when a fresh start is worth it.
Make the next leak impossible
Sudden spam means your address was somewhere it shouldn't have been. You can't change that, but you can make sure the next coupon popup, whitepaper gate or free trial never learns your real address: generate a temporary email in one click, let it catch the confirmation link, and let it expire. No signup, free, gone in 10 minutes — details in the FAQ.