What is spam email? Definition, real examples, and why you get it

Spam email is unsolicited bulk email: messages sent to a large number of people who never asked for them, usually to sell something, steal something, or trick the recipient into clicking a link. The two defining traits are consent and volume. You did not opt in, and the same message went to thousands or millions of other inboxes at the same time.

A magnifying glass examining a suspicious envelope, flat illustration

Spam is not a niche problem. According to Kaspersky's Spam and Phishing in 2024 report, 47.27% of all emails sent worldwide in 2024 were spam. Almost half of everything moving through the world's mail servers is junk that nobody wanted.

This guide defines spam properly, separates it from graymail and phishing (three things people constantly mix up), walks through the most common spam categories you will actually see, and explains why your address ended up on the lists in the first place.

In plain terms, spam email is any message that is both unsolicited (you never gave the sender permission) and bulk (sent to many recipients at once). A single unwanted email from one person is annoying, but it is not spam. A million identical "You've won!" messages blasted at a purchased list is.

The law adds more precision, and it differs by region.

In the US: CAN-SPAM

The CAN-SPAM Act does not ban unsolicited commercial email outright. It regulates it. Under the FTC's CAN-SPAM compliance guide, senders must not use false or misleading header information, must not use deceptive subject lines, must identify the message as an ad, must include a valid physical address, and must honor opt-out requests within 10 business days. The law applies to all commercial email, with no exception for business-to-business messages. Each separate email that violates the act can draw a penalty of up to $53,088.

The key point: CAN-SPAM is an opt-out regime. In the US, a company can legally email you first, as long as it follows the rules and stops when you say stop.

In the EU: ePrivacy and GDPR

Europe takes the opposite approach. The ePrivacy Directive (2002/58/EC) only allows email for direct marketing to people who have given their prior consent. There is one narrow exception: a company that obtained your address through a sale can market its own similar products to you, provided you can object easily and for free in every message. GDPR layers on top of this, governing how your personal data (your email address included) can be collected and processed in the first place.

So the same message can be legal in the US and illegal in the EU. The spam in your inbox usually ignores both laws anyway, because most of it comes from senders who never intended to comply.

Spam vs graymail vs phishing: three different problems

People use "spam" as a catch-all for every unwanted email, but the inbox clutter you see actually splits into three categories, and each one needs a different response.

  • Spam is unsolicited bulk email from a sender you have no relationship with. You never opted in. It is often illegal, the sender is usually hiding, and unsubscribing is pointless or risky.
  • Graymail is legitimate bulk email you technically opted into and no longer want. Newsletters from a store you bought from once, notification digests, promotional emails from real brands. It is legal, the sender is identifiable, and unsubscribing works.
  • Phishing is not marketing at all. It is an attack. The message impersonates a bank, an employer, or a service you use, and tries to steal credentials, payment details, or money. Volume does not matter; one well-crafted phishing email is the threat.

The distinction matters because the right action differs. You unsubscribe from graymail, you block and report spam, and you delete and report phishing without clicking anything. We cover the spam-vs-junk terminology in detail in is junk mail the same as spam, and we have a full guide on how to recognise phishing emails and how to stop them.

Spam email examples by category

Common categories of spam email all try to look legitimate at first glance

These are the patterns that make up most real-world spam. The wording changes constantly, but the structures repeat. (The examples below are descriptive composites of common patterns, not quotes from real messages.)

Fake invoice and payment spam

A message claims you owe money or that a payment failed. Typical shapes: an "invoice" PDF attached for something you never bought, a "your subscription has renewed for $399" notice with a phone number to call to cancel, or a "payment declined, update your billing details" link. The goal is either to get you on the phone with a scammer or to harvest your card details on a fake page.

Prize, lottery, and giveaway spam

You have supposedly won something: a lottery you never entered, a gift card from a big retailer, the latest phone. To claim it, you just need to pay a small "processing fee" or fill out a form with your personal details. The prize never existed.

Crypto and investment pump spam

Messages pushing an obscure token or stock that is "about to explode," often dressed up as leaked insider information or a tip from a famous investor. The senders hold the asset and need buyers to inflate the price before they dump it. Variants promise guaranteed returns on trading platforms that simply take your deposit.

Health miracle spam

Pills that melt fat without diet, supplements that reverse aging, products that cure conditions medicine cannot. These mostly funnel you to sketchy stores that take your card details and ship nothing, or something useless, or enroll you in a hard-to-cancel monthly billing scheme.

Fake delivery notice spam

A courier supposedly tried to deliver a package and needs you to confirm your address or pay a small customs fee. The link leads to a credential or card-harvesting page. This category surges every holiday season because most people genuinely are waiting for a package.

Sextortion spam

A message claims the sender hacked your webcam and recorded you, and demands payment in cryptocurrency to keep the footage private. To look credible, it sometimes includes a real password of yours pulled from an old data breach. There is no footage. The script is sent blind to millions of addresses, and the leaked password is the only real thing in it.

Why you get spam in the first place

Spam is a targeting problem before it is a filtering problem. Your address got onto lists through a few well-known routes:

  • Address harvesting. Bots scrape email addresses from websites, forums, social profiles, and public documents. If your address is visible anywhere on the public web, it has been collected.
  • Data breaches. When a service you signed up for gets breached, your address (and sometimes passwords) ends up in dumps that circulate for years. This is also where sextortion spam gets your old password.
  • List resale and trading. Some companies sell or share the lists they collect. One sketchy signup can propagate your address across dozens of senders.
  • Dictionary attacks. Spammers also just guess. Common name patterns at big providers (firstname.lastname@) get spammed without any leak at all.
  • Confirmation by interaction. Once you open remote images, click a link, or reply, the spammer marks your address as live, and it becomes more valuable to resell.

We break down each of these routes, and how to find out which one hit you, in why am I getting so many spam emails.

What to do about spam

You cannot get off the lists, but you can make spam stop reaching you and stop costing you attention.

  • Never reply, never click, and never unsubscribe from true spam. All three confirm your address is active. The unsubscribe rule has a nuance: for graymail from legitimate senders, unsubscribing is correct; for spam from unknown senders, it backfires.
  • Report it. Marking messages as spam trains your provider's filter and hurts the sender's deliverability everywhere.
  • Cut the graymail separately. Legitimate-but-unwanted bulk email responds well to mass unsubscribing, which is what Leave Me Alone was built for, alongside a real-time AI Spam Blocker that filters junk privately, without sending your email content to any outside AI company.
  • Protect the address itself. Be stingy with where you enter your real email, and use aliases for signups you do not fully trust.

For step-by-step walkthroughs, see 5 simple ways to stop spam emails and 5 steps to get rid of spam emails.

Frequently asked questions

Is spam email illegal?

It depends on where the recipient is and how the message was sent. In the US, unsolicited commercial email is legal if it complies with the CAN-SPAM Act: honest headers, honest subject lines, a physical address, and a working opt-out honored within 10 business days. Violations carry penalties of up to $53,088 per email. In the EU, the ePrivacy Directive requires prior consent before marketing email can be sent at all, so most spam is illegal by default there. In practice, the bulk of real spam violates the law in both regions and is sent from infrastructure designed to dodge enforcement.

What happens if I open a spam email?

Opening a spam email is usually safe in itself. Modern email clients do not run code just because you viewed a message. Two caveats. First, if your client loads remote images automatically, a tracking pixel in the message can tell the spammer you opened it, which confirms your address is active and invites more spam. Most providers let you turn off automatic image loading. Second, the real danger is interaction: clicking links, opening attachments, replying, or calling phone numbers in the message. Opening is low risk; engaging is the risk.

What does spam stand for?

Nothing. It is not an acronym. According to Merriam-Webster, the email sense of "spam" comes from a Monty Python's Flying Circus sketch in which the word "Spam" is chanted so repetitively that it drowns out the rest of the dialogue. That fit unwanted bulk messages flooding out normal conversation, and the usage stuck. Merriam-Webster dates the first known use of the noun in this sense to 1990.

How much email is spam?

Kaspersky's Spam and Phishing in 2024 report found that 47.27% of all emails sent worldwide in 2024 were spam. The share you actually see is much lower because provider filters catch most of it before it reaches your inbox.

Spam is permanent background noise on the internet, but your inbox does not have to absorb it. Leave Me Alone's spam blocker filters spam in real time and clears out the graymail underneath it, so the only mail left is mail you chose.