I Gave 10 Sites My Real Email. Here's the First 7 Days of Spam.

June 23, 2026 · 5 min read

I Gave 10 Sites My Real Email. Here's the First 7 Days of Spam.

TL;DR - I made a brand-new email address, gave it to 10 ordinary websites (free trials, a discount code, a PDF download), then did nothing else and counted the spam. Within 24 hours, "partner" brands I never signed up for were emailing me. By day 4 the data brokers kicked in. By day 7: 84 emails, 17 senders I never gave my address to, and 3 phishing attempts. Unsubscribe barely helped. The fix is giving each site a different address you can delete.

I made a fresh email address. Brand new domain. Brand new mailbox. No prior signups, no leaks, no contact list.

Then I gave it out to 10 ordinary websites. Not sketchy ones, the kind of sites a normal person signs up for in a normal week. Then I waited a week and counted the spam.

This is not a story about what happens when you fill in your address on free-iphone-15.biz. This is what happens when you do the everyday things (sign up for a free trial, download a PDF, grab a discount code at checkout) without doing anything else.

The setup

  • One fresh email, used nowhere else. Not given to a friend, not posted online, not used to register a phone, not connected to any social account.
  • 10 signups, all on the same day, same name, same fake date of birth.

The 10 signups, in order:

  1. A free trial of a project-management app (you have heard of it).
  2. A fashion retailer's mailing list, for "10% off your first order".
  3. A free PDF guide on personal finance.
  4. A B2B newsletter I genuinely wanted to read.
  5. An e-commerce site, just to add an item to a wishlist (no purchase).
  6. A recipe site that locks recipes behind email signup.
  7. An online course platform, free signup, no course bought.
  8. A "find a therapist" directory, no booking.
  9. A car insurance quote form, no purchase.
  10. A real estate listings site, set a saved search.

All ordinary. None malicious. None I would flag if a friend were doing them. Then I closed the tab and did not touch the address again. I just watched what arrived.

Day 0 to 1: the expected stuff

In the first 24 hours, exactly what you would predict. 18 emails: 10 "welcome" emails, 4 "complete your profile" follow-ups, 2 "your discount code" emails from the fashion retailer, and 2 unsolicited welcome emails from "partner" brands of the fashion retailer. Within 24 hours.

That last one is the interesting one. I signed up for one mailing list. By the next morning, two unrelated companies had received my address from that list and started emailing me directly. Standard behaviour. Almost every site does it. It is in the privacy policy.

Day 2 to 3: the acceleration

By day 3, the inbox had 47 emails total. The recipe site started sending one promo a day. The fashion retailer's "partners" doubled to four unrelated brands. A company I had never heard of started a daily newsletter, and its unsubscribe link pointed at the same email infrastructure as the "find a therapist" directory. The course platform began a 7-day drip campaign. The car insurance form turned into a daily quote reminder.

Most of these are technically legitimate, buried in some privacy policy, opt-in by default. None of them feel legitimate. None of them feel like things I asked for.

Day 4 to 5: the data brokers wake up

Day 4 is when it stops being marketing and starts being selling.

A new sender appears from a domain I do not recognise. The body is a generic ad for a credit-monitoring service. The footer says, in tiny text, "you are receiving this because you signed up for offers from one of our partners". I never agreed to offers from partners. I agreed to download a PDF.

By day 5 I am getting two or three of these a day. Different companies, different domains, different ad copy, but the same fingerprint: my address arrived in their database, repackaged as a "lead", from a data broker in the middle. The worst offenders for sharing the address: the free PDF download (by a mile), the fashion retailer's affiliate network, and the therapist directory.

Day 6 to 7: the total

End of day 7:

  • 84 total emails to a fresh address from 10 signups.
  • 6 senders I recognised from those 10 signups.
  • 17 senders I did not recognise, companies I have never interacted with, who somehow have my email.
  • 3 phishing-flavoured emails, impersonating brands I never signed up for, asking me to "verify my account".

Extrapolate that naively and it is roughly 600 emails a month from 10 ordinary signups, from a single week, without me doing anything else.

What this would have looked like with a different address per site

Here is the thing. If I had used a different forwarding address for each of the 10 signups, then on day 4 I could have looked at the inbox, spotted the three loudest sources (the PDF download, the fashion retailer, the therapist directory), and killed just those three addresses.

The 17 unknown senders that arrived because of those three would all have gone silent at once, permanently. The phishing would not have arrived, because it was piggybacking off lists that included those addresses. The 7 signups I genuinely wanted would have kept working, and my real address would still be unknown to all 17 of those downstream companies. My inbox at the end of week one would have had about 25 emails from 7 senders I expected.

That is the whole pitch. Not "spam never reaches you", that is not how email works. The pitch is: when something turns into a problem, you can make it stop in one click, permanently, without negotiating with the unsubscribe link.

I care about this because I got tired of running this experiment by accident. Every couple of years a real signup would balloon into a six-month inbox cleanup, and "just do not sign up for things" is not a strategy if you want to use the internet. I built and ran an alias service called SecureAlias on exactly this idea (I am winding it down now), but you do not need mine: Apple Hide My Email, DuckDuckGo Email Protection, Firefox Relay, and Proton's SimpleLogin all give you a different address per site that you can delete when it turns sour.

What I learned

  1. Mainstream signups leak your address to "partners" within 24 hours. Not the sketchy ones, the regular ones.
  2. The data-broker pipeline is fast. Day 4 is when totally unrelated companies start showing up.
  3. Phishing follows the data brokers. The longer I watched, the worse and more convincing it got.
  4. Unsubscribe does not help. I clicked it on 8 of the unrecognised senders. Three stopped. Five did not. Two of those "unsubscribed" me by re-subscribing me to a different list under a related brand.

The version of this experiment with a throwaway address per site takes 30 seconds to clean up. The version without takes a season.

Tagged:spamdata brokersemailprivacy
Share:

You might also like

Your Inbox Is Everyone Else's Billboard

June 24, 2026 · 4 min read

Your Inbox Is Everyone Else's Billboard

We treat the inbox like it belongs to us. It doesn't. Here is how it actually works, and how to get it back.

Read more →
How to Stop Newsletter Spam in Gmail Without Unsubscribing

June 22, 2026 · 4 min read

How to Stop Newsletter Spam in Gmail Without Unsubscribing

Unsubscribe doesn't work. Here are five techniques that actually do, from the laziest to the most permanent.

Read more →
How Email Tracking Pixels Work (and How to Kill Them)

June 21, 2026 · 4 min read

How Email Tracking Pixels Work (and How to Kill Them)

Every marketing email knows when you opened it, where you were, and what device you used. Here is the 1x1 trick they are using, and how to opt out by default.

Read more →