Why Am I Suddenly Getting So Much Spam?

One day your inbox is fine. The next, you are drowning in spam. Viagra ads, crypto schemes, fake invoices, phishing attempts — dozens per day, seemingly out of nowhere.

This does not happen randomly. Something triggered it. Here are the five most common causes and what to do about each one.

Cause 1: Your email was in a data breach

This is the #1 reason for sudden spam increases. A service you signed up for — maybe years ago — got hacked. Your email address is now in a database that is traded on dark web marketplaces and used by automated spam tools.

How to check

Visit Have I Been Pwned and enter your email address. It will show every known breach your address appeared in. You may be surprised how many there are.

What to do

• Change your password on the breached service (and everywhere you reused it)
• Enable two-factor authentication on important accounts
• You cannot remove your address from breach databases — it is out there permanently
• Start using email aliases for future signups so your real address stops accumulating in new databases

Cause 2: You clicked "unsubscribe" on spam

Counterintuitive, but true. When you click the unsubscribe link in an actual spam email (not legitimate marketing), you are confirming to the spammer that your address is active and monitored. This makes your address more valuable — and you get more spam.

How to tell the difference

• Legitimate marketing — From a company you recognize, includes a real physical address, has a proper List-Unsubscribe header. Safe to unsubscribe.
• Spam — From an unknown sender, no physical address, suspicious links, content you never signed up for. Do NOT click unsubscribe.

What to do

• For legitimate senders: use header-based unsubscribe (your email client's "Unsubscribe" button or a tool like Cleanbox)
• For spam: mark as spam and block the sender. Do not interact.
• Read more about what actually happens when you click unsubscribe

Cause 3: Your address was harvested from the web

If your email address is published anywhere online — your website, a forum post, a social media profile, a GitHub commit, a WHOIS record — automated scrapers have found it. These bots crawl the internet specifically looking for email addresses to add to spam lists.

What to do

• Remove your email from public profiles where possible
• Use contact forms instead of publishing email addresses on websites
• Enable WHOIS privacy on your domains
• For addresses already harvested: the damage is done. Use aliases going forward.

Cause 4: A company sold your data

Some companies sell their mailing lists to third parties. That free ebook you downloaded, that contest you entered, that "free trial" you signed up for — the fine print may have included consent to share your data with "partners."

How to identify the source

If you use unique aliases per service, you know exactly which service sold your data — the spam arrives on that specific alias. Without aliases, it is nearly impossible to trace.

What to do

• If you can identify the source, file a complaint (GDPR in the EU gives you this right)
• Block or disable the compromised alias
• Be more selective about which services get your email — or use disposable aliases for untrusted services

Cause 5: Email forwarding amplification

If you use an email forwarding service without spam filtering, spam sent to the forwarded address lands directly in your inbox. The forwarding service passes everything through — it does not distinguish spam from legitimate email.

What to do

• Use a forwarding service that includes spam filtering (not just blind forwarding)
• Set per-address spam thresholds so each forwarded address can have appropriate protection

The long-term fix

All five causes have one thing in common: your real email address is exposed. The permanent solution is to stop exposing it:

1. Use aliases for every new signup — Your real address stops accumulating in new databases
2. Set up spam filtering with adjustable thresholds — Catch spam that targets your existing address
3. Block by category — Deny entire sender categories (Discounts & Promotions, Gaming & Gambling) to eliminate classes of spam at once
4. Whitelist trusted senders — Ensure important email always arrives despite aggressive filtering

You cannot undo past exposure. But you can make sure it stops getting worse.