Here's what I think you should do if you've received unwanted spam in your inbox.
- Most importantly, you should click the "report spam" button offered by Gmail, Outlook.com, Yahoo Mail, etc. to train the ISP that the sender's domain and IP address are being used for bad things. (If the bad email is already in your spam folder, skip this.) Sometimes this generates a report the mail back to the sender's ISP or mail platform, sometimes not. But it does get tracked by the ISP either way, and enough of these spam votes will cause a sender to get blocked or driven to the spam folder.
- Look at the from address -- is it from what looks like a real domain, or some domain totally unrelated to the brand? If Sears is emailing you from sears.com, it's probably safe to unsubscribe. But if Sears is emailing you from Gmail.com or some domain in Brazil or Uzbeckistan, the email is likely forged and attempting to unsubscribe will get you nowhere. (Checking the message source to look for DKIM and DMARC success is a good expert level thing to consider in this step.)
- Find the sending IP address (here's how) then plug in that IP address here and see if abuse.net or ARIN/RIPE/APNIC/etc. have a suggested abuse reporting address. If so, send a spam report to those addresses. Include the full headers (copy and paste everything from "show original" or "view source" into a new email message. Don't expect miracles in response. Some ISPs do nothing. Some ensure that you get unsubscribed (only). Others may do that but also track which of their clients generates the most complaints and may investigate further, and possibly take action agains the spamming entity. You likely won't have visibility into any of this -- the best an end user can hope for is that the mail stops.
Also be sure to check and see if the domains used in the email message are listed here on my ESP Abuse/Spam Contact List "Quick List" -- maybe you'll get lucky find contact information there.
Don't ask me how a particular sender obtained your email address -- there are just too many ways it can happen. I just can't tell for sure. I will say, though, that if you work in email, make sure you aren't giving out your main email address to clients for testing. Use a dedicated test address at each webmail provider (Gmail, Yahoo, Hotmail, etc.) so you can keep that separate. I'm not really going to report stuff as spam if it came to my test address, assuming I gave the address out to a client potential client in the past. (And sometimes you might end up working with a client who ends up leaking or selling email addresses -- most good companies would never do this -- but this helps protect your core personal email address. Mine, I prefer to keep clean and clear of stuff not of personal interest to me.) I'm not saying all (or even any) marketing senders are going to spam you or sell your address. But if you keep the streams separate, you'll never have to wonder.
What you see in your inbox is only a tiny sliver of what spammers are actually sending. ISPs block a TON of mail and most have very aggressive spam filters -- deliverability people know this from seeing some clients get caught up in those filters. So know that an ISP is not intentionally wanting to allow bad mail through. They know it makes their users upset and they're working hard to track and block bad guys. The bad guys know this, too. So it's a bit of an arms race. Can the bad guy evade the filter? Maybe, but not forever. So bad guys are constantly trying new things to see what gets through filters. And ISPs are watching for this. Hopefully, given enough time, and spam reports, those bad guys spamming you will end up blocked and you won't have to deal with them in your inbox any more.