Depends on who you mean.
The GOP spams me as if I were a deranged Trump supporter, I think because my email address was the only thing they read when I signed petitions telling them to stop being evil.
The Dems spam me because I gave money to support Bernie Sanders, and they stole that and my email, and handed it to every Dem money-soliciting candidate or group in the country.
Non-profits spam me because I sign petitions and have donated once in a blue moon.
Car warranty scum spam me because I registered an automobile with the government, who betrayed my trust by making it available to such scum.
And random other scumbags spam me from whatever other lists they have bought, stolen, or otherwise found. Some companies share or sell their lists. The big social media sites are rich because they sell info about people all the time. So have other companies, for a long time.
Email addresses can also be found by writing a computer program that trawls all the web sites it can find, automatically snatching anything that looks like an email address. They also automatically try inputting spam on everything that looks like a web form – and if they then receive an email in reply, they add it to their list of active email addresses, and sell them to other scumbag companies.
And yes, email addresses can also be stolen, by gaining access to a company’s email lists, or to users’ email address books, or by listening-in to email traffic and recording all of the email addresses listed.
To then send to those email addresses, there are also many ways, either by using a server that does allow mass emails, or setting up one’s own servers to do that, or by writing programs that go create free disposable email accounts on other servers automatically, and/or by putting inaccurate information in the FROM field, or other techniques. Such software and services are sold, so the scumbags who want to spam don’t really need to figure out much in order to do it.
The Internet connects most of the planet, and mostly doesn’t have national boundaries, except occasionally for some types of web requests to some sites, or when some government like China goes full-asshole censorship or something, and that doesn’t tend to stop the sort of activity spammers are doing.
“And if we know how it’s done, why can’t we shut them off?”
– Because “we” (the people who care and would really like it shut off) don’t have the resources, power, and legal authority to do what it would take, and the people who do have those things, don’t care enough about it, and/or have other priorities.
Also, it’s a bit tricky in many cases to find the spammers, particularly the sleaziest ones who leave the least followable clues. We know where the GOP and companies are, and could shut them down if we had enough power, but the countless scammers and sleazebags, especially the ones who only temporarily use others’ machines and services, are harder to find, and may be in other countries who would object to our kill teams, cruise missile attacks on the best Hyderabad appliance repair centers, etc.