JunkMail
Back to blog
I Created a Trap Email Address and Gave It to 50 Sites: Here is the 24h Carnage

I Created a Trap Email Address and Gave It to 50 Sites: Here is the 24h Carnage

A real experiment on the speed of spam propagation. Spoiler: your email address travels faster than you do.

By Investigation Team1/3/2026

It’s a question we all ask ourselves, usually while furiously deleting yet another newsletter for solar panels when we live in a basement apartment: "How on earth did they get my address?"

We blame fate. We blame that old 2014 Facebook contest. But rarely do we realize the staggering speed at which our data circulates today.

To find out for sure, I decided to run an experiment. A slightly masochistic one, I’ll admit.

I created a blank email address on JunkMail: honeypot-experiment-01@junkmail.site. And for one morning, I threw it to the most ravenous corners of the web.

Here is the chronicle of those 24 hours in hell.

The Protocol: How I Ruined This Mailbox

For this test to be scientific (and fun), I had to vary the sources. I didn't just sign up on shady sites. I targeted four very common categories of "suspects":

  1. The "Freebies" (15 sites): Those "How to get rich with dropshipping" ebooks and marketing white papers that ask for your email to download a 3-page PDF.
  2. The Comparators (10 sites): Insurance, loans, travel. Those endless forms that promise the "best price."
  3. Contests (15 sites): Win an iPhone 15, a trip to the Maldives, or a year's worth of cat food.
  4. "Discount" E-commerce (10 sites): Those shops that sell USB cables for $0.50 and offer you 10% off for joining their newsletter.

Total: 50 sign-ups. Start time: 09:00 AM. Initial state: 0 emails. The calm before the storm.

10:30 AM: The Honeymoon (The Deceptive Calm)

1.5 hours after my sign-ups, the results are... disappointing. Or reassuring?

I’ve only received 48 emails. Wait, 48? For 50 sign-ups? Yes. Two sites didn't even bother to send the promised confirmation.

At this stage, everything is "legitimate." These are welcome emails: "Thanks for joining," "Your ebook is here," "Please confirm your address." It’s clean. It’s polite. Gmail’s spam filters would have let all of this through with a smile.

This is where the trap closes. By clicking "Confirm," I just validated to these 48 bots that:

  1. This address exists.
  2. There is a human behind the click.
  3. This human is "receptive" (read: naive).

My market value just decupled.

02:00 PM: The First Cracks

I’m back from lunch. I refresh my JunkMail box. Counter: 62 emails. (+14)

This is where it gets interesting. I haven't done anything since this morning. I haven't signed up anywhere else. Yet, I have 14 new messages.

Who are they?

  • An offer to "Renegotiate my mortgage insurance" (I don't have a mortgage).
  • A "Unique opportunity" in Bitcoin.
  • And curiously, a newsletter about gardening.

By analyzing the technical headers of these emails (the invisible source code), I notice something fascinating. The gardening email comes from the same sending IP address as one of the marketing "Freebie" sites from this morning.

Conclusion: They share their databases. Or worse, they belong to the same nebula of sites created solely to harvest data. I gave my email to Site A, and Site B is already writing to me.

Propagation time: less than 4 hours.

07:00 PM: The Flood Begins

The workday is over. Not for the spammers. Counter: 115 emails. (+53)

The dam has burst. It’s no longer a drip; it’s an open faucet.

What's striking is the change in tone. We’ve moved from the polite "Welcome" of the morning to pure commercial aggression.

  • "LAST CHANCE!!!" (in red and all caps)
  • "Your package is waiting" (the classic phishing scam)
  • "Leandre, you forgot this..." (No, my name isn't Leandre on this address, but they’re trying to guess).

I’ve also received my first spams in foreign languages. Italian, Russian. My address has traveled. It was likely listed on an exchange file or sold in real-time on a programmatic marketplace (RTB).

In 10 hours, my address has gone international.

Next Day, 09:00 AM: The 24-Hour Post-Mortem

I wake up, grab my coffee, and open JunkMail with some trepidation.

Final Counter: 342 emails.

Let me repeat that. I gave my address to 50 (mostly) legitimate sites. In 24 hours, I received 342 solicitations.

That’s a ratio of 7:1. For every voluntary sign-up, I received 7 unsolicited emails in a single day. Imagine that over a week. A month. A year.

The Autopsy

If I had used my real pro or personal address for this experiment:

  1. My phone would have buzzed 342 times.
  2. I would have lost about 45 minutes sorting, deleting, and trying to unsubscribe (unsuccessfully, as the unsubscribe link is often a decoy that confirms you are a reader).
  3. My address would now be "burned." Marked as "active and receptive" in hundreds of databases. I would be condemned to receive this digital background noise forever.

The Moral of the Story

This experiment proves one terrifying thing: there is no undo button on the Internet.

Once you click "Send," you lose control. Your data no longer belongs to you. It is copied, fragmented, sold, resold, and stored on servers you don't even know exist.

The only way to win this game is to not play with your real pieces.

I deleted the address honeypot-experiment-01@junkmail.site with one click. The 342 emails vanished. Future follow-ups will bounce off a wall. The spammers will waste their resources writing to a ghost.

And me? I can go back to my real mailbox. It’s clean, quiet, and safe.

Because for everything else, I have JunkMail.

Do the experiment yourself (without the risks). Create a disposable address now and see who tries to spam you.