I gave 10 sites my real email. Here's the first 7 days of spam.

I made a fresh email address. Brand new domain. Brand new mailbox. No prior signups, no leaks, no contact list.

Then I gave it out to 10 ordinary websites. Not sketchy ones — the kind of sites a normal person signs up for in a normal week.

Then I waited a week and counted the spam.

This isn't a story about what happens when you fill in your address on free-iphone-15.biz. This is what happens when you do the everyday things — sign up for a free trial, download a PDF, get a discount code at checkout — without doing anything else.

The setup

• One fresh email: experiment-2026-04@<my-domain>.com
• No other use of that address. Not given to a friend, not posted online, not used to register a phone, not connected to any social account.
• 10 signups, all on the same day, all with the same name and the same fake DOB.

The 10 signups, in order:

1. A free trial of a project-management SaaS (you've heard of it).
2. A fashion retailer's mailing list, in exchange for "10% off your first order".
3. A free PDF guide on personal finance.
4. A B2B newsletter that I genuinely wanted to read.
5. An e-commerce site, just to add an item to a wishlist (no purchase).
6. A cooking recipe site that locks recipes behind email signup.
7. An online course platform, free signup, no course bought.
8. A "find a therapist" directory, no booking.
9. A car insurance quote form, no purchase.
10. A real estate listings site, set a saved search.

All ordinary. None malicious. None I'd flag as suspicious if a friend were doing them.

Then I closed the tab and didn't touch the address again. I just watched what arrived.

Day 0–1: The expected stuff

In the first 24 hours, exactly what you'd predict. 18 emails:

• 10 "welcome to [thing]" emails (one from each signup).
• 4 "complete your profile" / "verify your email" follow-ups.
• 2 "your discount code" emails from the fashion retailer (yes, two — one transactional, one promotional).
• 2 unsolicited welcome emails from "partner" brands of the fashion retailer. Within 24 hours. These are not the brand I signed up for. They're brands I have never heard of, who somehow already have my address.

That last one is the interesting one. I signed up for one mailing list. By the next morning two unrelated companies had already received my address from that list and started emailing me directly. Standard behavior. Almost every site does it. It's in the privacy policy.

Day 2–3: The acceleration

By day 3, the inbox had 47 emails total. Highlights:

• The cooking site started sending one promotional email per day — separate from the welcome sequence.
• The fashion retailer's "partners" doubled. Now four unrelated brands are emailing me, none of which I signed up for.
• A company I have never heard of, called something like "Wellness Daily" (I'm being vague to protect their lawyers), started sending me a daily newsletter. Their unsubscribe link, when I checked the source, pointed at the same email infrastructure as the "find a therapist" directory. I never gave permission.
• The online course platform began a 7-day "drip campaign" with a course ad each day.
• The car insurance form turned into a daily quote reminder.

Most of these are technically legitimate — buried in some privacy policy, opt-in by default, etc. None of them feel legitimate. None of them feel like things I asked for.

Day 4–5: The data brokers wake up

Day 4 is when it stops being marketing and starts being selling.

A new sender appears: [name@some-domain-i-dont-recognize]. The body of the email is a generic ad for a credit monitoring service. The footer says, in extremely small text, "you're receiving this because you signed up for offers from one of our partners". I never agreed to "offers from partners". I agreed to download a PDF.

By day 5, I'm getting two or three of these per day. They are clearly different companies — different domains, different ad copy — but they all share the same fingerprint: my address arrived in their database, repackaged as a "lead", from a data broker in the middle.

The sites that sold the address (or whose "partner agreements" effectively sold it):

• The free PDF download. By a mile. Most aggressive.
• The fashion retailer's affiliate network.
• The "find a therapist" directory.

The sites that did not appear to share the address (in the first 7 days): the project-management SaaS, the genuine B2B newsletter, the online course platform, and the car insurance form. Some of those will probably start later — a 30-day study would catch more of them.

Day 6–7: The total

End of day 7:

• 84 total emails to a fresh address from 10 signups.
• 6 unique senders I recognized from those 10 signups.
• 17 unique senders I did not recognize — companies I've never interacted with, who somehow have my email.
• 3 phishing-flavored emails (impersonating brands I never signed up for, asking me to "verify my account"). These came in the second half of the week.

If I extrapolate this naively, that's ~600 emails per month from 10 ordinary signups. From a single week. Without me doing anything else.

What this would have looked like with aliases

Here's the thing. If I'd used a different alias for each of the 10 signups, I could have, on day 4, looked at the inbox, identified the three loudest senders (the PDF download, the fashion retailer, the therapist directory), and killed those three aliases.

The 17 unknown senders that arrived because of those three? They would all have been silenced at once. Permanently. The phishing emails wouldn't have arrived because they were piggybacking off lists that included those addresses.

The 7 signups I genuinely wanted to keep would have continued to work. My real email address would still be unknown to all 17 of those data-broker downstream companies. My inbox at the end of week one would have had ~25 emails from 7 senders, all of whom I expected.

That's the whole pitch. Not "spam never reaches you" — that's not how email works. The pitch is: when something turns into a problem, you can make it stop in one click, permanently, and you don't have to negotiate with the unsubscribe link.

What I learned

1. Mainstream signups leak your address to "partners" within 24 hours. Not the sketchy ones — the regular ones.
2. The data broker pipeline is fast. Day 4 is when totally unrelated companies start showing up.
3. Phishing follows the data brokers. Week 2 onwards (I kept watching) the phishing got worse and more convincing.
4. Unsubscribe doesn't help. I clicked unsubscribe on 8 of the unrecognized senders. Three of them stopped. Five did not. Two of those five "unsubscribed" me by re-subscribing me to a different list under a related brand.

The whole reason I built SecureAlias is: I got tired of doing this experiment by accident. Every couple of years a real-life signup like this would balloon out into a six-month inbox cleanup, and "just don't sign up for things" is not a real strategy if you want to actually use the internet.

The version of this experiment with aliases turned on takes 30 seconds to clean up. The version without aliases takes a season.

I'm going to repeat the experiment with a hundred sites over thirty days and post the results when it's done. Subscribe to find out. Or, you know, set up an alias for it first.

Related reading

• How email tracking pixels work — the second half of the surveillance problem.
• Why your inbox is everyone else's billboard — the broader picture.
• Email aliases for newsletter signups — three-minute setup for the most common case.