I gave up on this years ago.

Figuring out how they got hold of your email won’t be very satisfying. It’s not possible, but if it were you would find it’s some obscure forum you signed up for 10 years ago to make the search function work, which hasn’t updated their forum software during that 10 years, and is now leaking email addresses.

Point is, the horse has already bolted and now your email address is on the lists that get sold on the dark net. There’s no going back.

My understanding with spam / phishing is that most email providers will identify and remove 95% of it. gmail will catch 99.9% just because of the volume of emails going through their servers. I personally would pry my eyes out with a fork before using gmail so I’m stuck receiving 5% of spam. It’s nothing really. Every day (or several days) I look at my inbox, action and archive as appropriate, and delete the rest. It literally takes less than 1 second because I would have to “delete the rest” anyway.

As others have mentioned, “catch-all” email addresses are one method to kind of mitigate or manage the problem, but ultimately I’ve found it to be a cool trick but ultimately inconvenient and maybe pointless.