If you use Gmail, Hotmail or another of the generic 'free' email services then the spammers don't even have to buy your email address from another's list - they can just guess it. Most want an email address with a real name so you ask for
john.smith@whatever.com but that's already taken so you get john.smith778@...... a small java prog would cycle through all of those and all the other possible firstname / surname combinations as well as common nicknames - and would note those addresses that didn't result in an Unknown User message.
One indicator of this is where you start getting spam emails the day after you register the address when you haven't even told your friends!
Both Gmail & Hotmail (and others) provide a spam/phishing service if you look at the relevant webmail page and will block keywords or domain names/email addresses you flag.
Android phones usually require a Gmail address so I have used the format firstname.initial.surname@.... with success, neither of my children (nor the wider family members) suffer spam email.
