Spam emails feel random — an endless stream of unsolicited messages from people and companies you've never heard of. But there's nothing random about it. Spam is a highly organized, profitable industry with a clear supply chain, and understanding how it works helps you protect yourself.

Where spam lists come from

Before a spammer can send you an email, they need your address. There are several ways they get it.

Data breaches are one of the biggest sources. When a company is breached, millions of email addresses are exposed and eventually end up on spam lists traded on underground marketplaces.

Email harvesting is another method. Automated bots crawl websites, forums, social media profiles, and anywhere else email addresses are publicly visible, collecting them into lists.

List purchasing is surprisingly common even among legitimate businesses. When you sign up for a service and agree to lengthy terms of service you didn't read, you may be consenting to your email being shared with "partners" — which can mean almost anyone.

How spam actually gets sent

Spammers rarely send emails from their own servers. That would make them easy to identify and block. Instead, they use compromised computers — machines belonging to ordinary people whose devices have been infected with malware without their knowledge. These networks of infected computers, called botnets, send billions of spam emails every day while the device owners have no idea it's happening.

This is why spam comes from such a wide variety of sender addresses and IP addresses. It makes filtering extremely difficult.

Spam is profitable at a tiny response rate. A spammer sending 10 million emails and converting just 0.001% — that's 100 people — can still make significant money, especially for scams or pharmaceutical sales.

Why spam filters aren't enough

Spam filters have improved dramatically over the years, but they're always playing catch-up with evolving techniques. Spammers constantly adjust their messages to avoid filter patterns — using misspellings, images instead of text, or changing their sending infrastructure to avoid blacklists.

Additionally, not all unwanted email is technically spam. Marketing emails from companies you signed up with are legitimate by most definitions, even if you don't want them. Filters can't remove these, and unsubscribing doesn't always work reliably.

The most effective protection

The most reliable way to prevent spam is to stop your real email address from reaching spam lists in the first place. This means being selective about where you share it.

For any signup where you only need a confirmation or a one-time code, use a disposable email address. For ongoing services you trust, use your real address but check their privacy policy to understand how they handle it. Avoid entering your email on any site you don't recognize or trust.

If your inbox is already overwhelmed, a separate email address for online signups going forward — combined with temporary addresses for low-trust situations — is the most practical solution.