Someone Signed Me Up for Spam: How to Find Out Who and Stop It
If your inbox suddenly explodes with signup confirmations and welcome emails you never asked for, someone probably ran your address through a flood of newsletter forms. This is called subscription bombing, and security firms have documented it being used to bury financial fraud like unauthorized purchases. You usually cannot trace who did it, but you can stop the flood and, more importantly, rule out that fraud hiding underneath it.
Short answer. First check for hidden fraud like unexpected purchases or password resets. Then report and block, unsubscribe only from real senders, and put a learning filter in front of your inbox. Leave Me Alone's Spam Blocker handles that last part for you.
This tactic is still active today, and it works because the mail comes from real, legitimate sites, so your normal spam filter waves it through. That is why the volume looks so alarming.
What is happening when someone signs me up for spam?
A bot entered your email into hundreds or thousands of signup forms at once. It is called subscription bombing, or an email bomb. It is often a prank or retaliation, but sometimes it is cover for fraud.
There are a few common motives:
- A prank or harassment. Someone who wants to annoy you dumps your address into every form they can find. It feels personal, but it is usually cheap and automated.
- Cover for real fraud. This is the dangerous one. An attacker buries a genuine alert, like a purchase receipt or a password-reset email, under a wall of junk so you never notice it. Security firm Proofpoint documents that subscription bombing is used to paralyze your ability to communicate and bury evidence of a compromised account, with attacks that can deliver over 1,500 emails per hour.
- List trading. Sometimes it is not targeted at all. Your address leaked, got resold, and landed on aggressive mailing lists.
The fraud angle is the reason to check carefully. In one documented pattern, attackers used stolen Walmart.com logins to make purchases of $250 or less, then flooded the victim with signup confirmations so the real receipt sat buried five, seven, even ten pages deep. According to protection firm BlackCloak, some victims did not spot the charges for months. The flood is annoying, but what it might be hiding matters more.
Can I find out who signed me up for spam?
Honestly, almost never. The signups come from real websites, not from the attacker, so there is no return sender to trace. Unless the person admits it, or police get involved for a serious case, you will not identify them.
Here is why tracing is so hard:
- The confirmation emails are from real brands and newsletters, not from whoever typed your address in.
- Bots hide behind proxies, so even the sites that got signed up cannot see the real source.
- The attacker never has to touch your inbox, so there is nothing there pointing back to them.
If the timing lines up with a specific dispute or a person you just fell out with, you might have a strong guess. A guess is not proof. Spend your energy on stopping the flood and locking down your accounts, not on detective work that rarely pays off.
How to stop it and stay safe
Work through these in order. The first step is the most important, because it is the one that protects your money.
1. Check for hidden fraud first. Before you delete anything, search your inbox for words like "order", "receipt", "password", "reset", and "verify" to catch any real alert hiding in the noise. Then log in directly to your bank, your card, and your main shopping accounts (do not click email links) and check for unfamiliar activity and recent password changes.
2. Change passwords and turn on two-factor. Treat your key accounts as exposed. Change the passwords on your email, bank, and shopping logins, and switch on two-factor authentication so a stolen password alone is not enough.
3. Report and block, do not delete quietly. Reporting trains your provider. Our guide on how to report spam email walks through it per provider. Just deleting teaches your inbox nothing.
4. Unsubscribe only from legitimate senders. For a real newsletter you recognize, unsubscribing is fine and safe. Do not click "unsubscribe" on sketchy or adult junk, because that can just confirm your address is live. When you do want to opt out cleanly, unsubscribe from emails here.
5. Tighten your provider filters. Set stricter junk rules once. If you are on Gmail, our step-by-step guide covers every method to block spam emails in Gmail, including filters that auto-archive by keyword or domain.
6. Put a learning screener in front of your inbox. Static rules cannot keep up with hundreds of new senders. Spam Blocker inside Leave Me Alone learns from what you keep versus what you delete, and it never sends your email content to an outside AI. Pair it with the Inbox Shield screener so brand new senders have to be approved before they reach you. Leave Me Alone is built privacy-first and never sells your data.
7. Protect the address going forward. Stop posting your main email publicly, and use aliases for signups and shopping. If one alias gets bombed, you shut it off without losing your real address.
The honest limits
A few things to accept up front:
- You usually cannot identify the culprit. The mail comes from real sites, so there is no trail. Make your peace with that and focus on cleanup.
- A bad wave takes days to weeks to settle. Reporting and screening cut it down fast, but double opt-in confirmations and stragglers keep trickling for a while.
- Filters cannot fix a compromised account. If fraud is underneath the flood, no spam tool undoes it. That is why checking for fraud comes first.
Frequently asked questions
Can I find out who signed me up for spam?
Almost never. The confirmation emails come from real websites, not from the attacker, and bots hide the source. Unless the person admits it or police get involved, tracing it is not realistic.
Is it illegal to sign someone up for spam?
It often can be. Doing it without consent can break anti-spam and computer-misuse laws and may count as harassment. Proving who did it is the hard part, which is why targeted, high-volume cases are the ones worth reporting.
Should I delete my email account over this?
No, not as a first move. Deleting your address is disruptive and rarely needed. Checking for fraud, reporting, blocking, and adding a learning screener stops the vast majority of these floods.
Why am I getting emails I never signed up for?
Because someone or a bot entered your address into signup forms, or your address leaked onto mailing lists. Confirmation and welcome emails you did not request are the classic sign of subscription bombing.
How long until the spam flood stops?
With reporting, filtering, and a screener, the worst usually eases within days. A heavy wave across many lists can tail off over a couple of weeks as slow senders finish arriving.
Bottom line
Someone signing you up for spam is almost always subscription bombing, and you usually cannot find out who. That is fine, because the tracing does not matter as much as the checkup. Rule out hidden fraud first, lock down your key accounts, then report, block, and put a learning filter in front of your inbox. Start with Spam Blocker. Spot something wrong in this guide? Email us and we will correct it.