So this standard email format: would become something like: use the app's name so it's easier to find the culprit. The next time you sign up for an account with an app or website, add a + symbol and a unique identifier after your user name, but before the symbol. But companies get away with it because they're not the ones directly spamming you, so you don't normally have a way of knowing which service is the one who sold your data. It's a shady tactic that's symptomatic of the current era of big data, and it may even be illegal in some jurisdictions. Not directly, no - you sign up for an app or service and happily hand over your email to verify your new account, then that app or service sells your email address to marketers who now know what kinds of apps and services you like.
How do spammers get your email? You give it to them.
