I traced my casino spam back to a fitness app I used for two weeks

I traced my casino spam back to a fitness app I'd downloaded, used for two weeks, and forgotten about.

I have never, in my life, signed up to anything gambling-related. I don't bet, I don't gamble, I have never put my email into a sports app or a betting site or anything adjacent. But there it was, every few days in my inbox: your bonus is waiting, 100 free spins, click to claim. Coming to an address I had used in exactly one place.

That address was the entire trick.

Every site I signed up to got a different email. So when the casino spam arrived, I didn't have to guess which company sold me out. The to: field told me. It said fitness-app-name-2023@my-domain. There was no other interpretation. The fitness app sold its mailing list, or got breached and never said, or had a contractor with a side hustle. Pick whichever you find most believable.

I emailed the company. The response was the kind of practised non-answer ("we sometimes work with carefully selected partners…") that confirmed everything without admitting anything. I disabled that alias. The spam stopped within 48 hours. I added the company to my personal list of do not give them anything ever again.

If you've ever wondered where your spam is actually coming from - not just generally, but the specific company - this is how you find out. It costs almost nothing, takes a few minutes to set up, and pays you in clean inboxes for the rest of your life.

Why you can't trace it right now

Almost everyone uses one email address everywhere.

You probably do too. Your real Gmail or Outlook or iCloud address, the one you've had for ten years, is the one you typed into the shopping cart, the trial signup, the WiFi captive portal at the airport, the "are you over 18?" wall on a news article, and the 47 other places that asked over the past month.

So when spam starts arriving — fake casinos, "we miss you" prompts from companies you've never heard of, dropshipping offers in your second language — the spam can't tell you anything. It's going to the same address every other piece of legitimate mail goes to. The trail is fully obscured.

You can't sue them, because you don't know who they are. You can't unsubscribe, because the spam itself is from a fly-by-night that bought a list from someone else who bought it from someone else. The original company — the one that actually leaked or sold you — is three or four hands removed and entirely invisible.

That's the design. Everyone wins when nobody can trace it. Everyone except you.

The fix is one email address per signup

The fix is so simple it sounds like it can't work, but it absolutely does: give every site a different address.

Not "I'll set up a few backup gmails". Not "I'll use my work email for that one and my personal email for the others". A genuinely different address for every single signup.

When you do this, your inbox stops being a black box. Each address acts like a label.

• Spam arrives to fitness-app-2023@yourname.com? You know who leaked.
• A breach notification shows your address tesla-2024@yourname.com was exposed? You know which breach actually hit you, not just "did one of my accounts get popped".
• A company calls you on your phone but addresses an email you only gave a different company? You just caught a backend data-sharing arrangement nobody told you about.

Suddenly your inbox is a forensic instrument instead of a billboard.

How aliases actually work

The real version of this isn't "set up 200 different Gmail accounts". That would be miserable to manage and Gmail caps you anyway.

It's email aliases. The technical idea is over thirty years old: you have one real inbox, and you generate any number of forwarding addresses that all deliver into it. Mail sent to any alias arrives in your real inbox, with the alias visible so you can tell which one was used. If an alias starts getting spam, you switch it off — and that's it. The spam stops arriving. Forever. Without unsubscribing, without filtering, without contacting the company, without changing anything else.

There are a few decent ways to do this in 2026.

The free way: Gmail technically supports the + trick — yourname+tesla@gmail.com will deliver to yourname@gmail.com. The problem is that anyone scraping or selling your address can trivially strip the +tesla portion and they will, because they know about this trick too. Many signup forms also reject + characters. It's better than nothing for casual use; it's not a serious solution.

The good way: A dedicated alias service. SimpleLogin, AnonAddy, Apple Hide My Email (if you're in the iCloud ecosystem), and Secure Alias (the one I built, specifically because I wanted a version of this for Australian families that you pay once and own forever, rather than rent forever). All of them let you generate a fresh address per signup, route it to your real inbox, and toggle it off the moment it gets sold.

The mechanic is the same across all of them. You sign up to your alias service. You install the browser extension or the iOS share sheet or whatever. When a site asks for your email, your alias service generates a brand new one — bx7k29@alias.example — and fills it in. The site never sees your real address. The site emails the alias, the alias forwards to you, you reply (if you want to) through the alias so your real address never leaks even in the reply chain.

Twelve months later, when bx7k29@alias.example starts getting Russian crypto spam, you click "disable" once. That alias is dead. The spam stops the instant the next message hits the dead alias and bounces. You also now know, with total certainty, that the site you signed up to as bx7k29 either sold its list, got breached, or has a contractor with a side hustle.

What I actually did to trace the casino spam

To finish the story I opened with:

I had used my fitness-app alias on exactly one place. I had downloaded the app, signed up, used it for a fortnight, deleted it, and moved on. That alias had no legitimate reason to ever exist anywhere else.

When the casino spam started arriving to that exact alias, the inference was airtight. The fitness app — and only the fitness app — could have caused this. They either sold the list, or had a leak they never disclosed, or were running a side business I didn't know about.

I emailed the company. The response was the kind of well-practised non-answer that confirmed everything without admitting anything: "we sometimes work with carefully selected partners to bring you offers we think you'll enjoy". I switched the alias off, the spam stopped, and I added that company to my personal list of companies that sell your data.

I never used them again. I now use that list when I'm choosing between competing products. It is, frankly, one of the most useful databases I own.

You can't build that list if you don't know who's leaking what. You can't know who's leaking what if everyone has the same email.

How to start (without rewinding ten years of accounts)

If you've used one email everywhere since 2015, do not try to migrate everything tonight. Do this instead:

1. Pick an alias service tonight. Apple Hide My Email if you're iCloud. Secure Alias, SimpleLogin, or AnonAddy if you want something cross-platform. Total time: 10 minutes.
2. From today, every new signup gets an alias. No exceptions. Online store, app trial, WiFi captive portal, content download - none of those get your real address ever again.
3. In a few months you'll start spotting your first leak. Spam arrives to companyname-2026@yourdomain. You know exactly who. Disable the alias, spam stops, add the company to your blacklist. The first time this happens you will feel a kind of vindication that is hard to describe.
4. Slowly migrate your existing high-value accounts. Bank. Super. Government. Email for shopping. Not your real Gmail itself - that stays - but everything signed up with your real Gmail can move onto aliases over the next six months at your own pace.

Inside a year you have built a forensic system. Every email arriving at your real address is from someone you trusted before you knew better. Every email arriving at an alias is a small, switch-off-able relationship you control. When the next big breach lands - and there is always a next big breach - you will not be the person scrolling Have I Been Pwned hoping your address isn't there. You will be the person who knows, within five seconds, exactly which alias was caught and which one to kill.

That asymmetry - you know who they are, they don't know who you are - is the entire pitch.

Start tonight. By next weekend you will already have a different relationship with your inbox.