There are as many ways of harvesting emails for malicious use as there are villains on the internet.
IMPORTANT: most of these methods are outright illegal in most jurisdictions; and some will put you in contact with dangerous people. All of these involve risk, including financial risk, risk of jail or other legal consequences, and/or risk of personal violence. I DO NOT CONDONE OR RECOMMEND PERFORMING ANY OF THESE ACTIVITIES.
Email addresses are easy for a program to recognize, as they all follow a standardized format. So web site scraping becomes an easy way, assuming you can find a site listing a bunch of email addresses. Fortunately for all of us, such irresponsible sites are becoming fewer and fewer.
Chain letters used to be a good source of spam: "send this email to 23 of your closest friends and angels will bring you spaghetti and beer, and be sure to include evilspammer@example.com" will result in lots of valid email addresses on the To: and Cc: lines. Chain letters are especially valuable because the recipients are already 'real' addresses, and the people who re-send them are often the kind of people that are taken in by trickery.
Some people post their chain letters on facebook, google groups, reddit, or other public place, where scammers greedily scoop them up. However, I believe that practice has dwindled as of late, because there are easier sources of addresses to harvest.
If you are criminally inclined, and if you have the right connections, and you can get an introduction from the wrong kind of person, you can find all kinds of malicious resources on the dark web:
- Email addresses are available in bulk; these are often available as tested addresses, guaranteed not to bounce. The sellers even use customer service agents to honor their guarantees, and for every address that bounces they will send you a different address as a replacement.
- You can hire "spam as a service", where a criminal who keeps his own list of email addresses will send your message out using his resources, such as a bulletproof hosting server, or botnet, or other system. These might be a fixed rate, such as $1.00 per thousand spams; or they might agree to take a cut of the profits, such as 50% of each bottle of pills (or whatever) sold. They enforce this by including their own referral links in the spam message.
- You might decide to bypass the spamming stage entirely. On the dark web you can purchase credentials to access already compromised systems. Why send out your own phish when someone else has already done the hard work for you?
But if you simply want large volumes of email addresses, breaching a site yourself may be the cheapest path to take. There are many, many ways sites are vulnerable and can be breached, but the most common of them all is an attack called "SQL injection". The nice thing about SQL injection attacks is that they result in some kind of access to the database behind the site; and those databases often hold customer email addresses. If you find a way to exfiltrate the email addresses from the server, you'll have plenty of spam victims.
The latest 500m Facebook breach was another way to acquire lots of emails: abuse the API of a service that holds email addresses. The Facebook attack was demonstrated by a researcher who made up a random 10-digit phone number, asked Facebook to find his friend with that number, and then repeated it for every other 10 digit number. Facebook happily connected his account to every other account that had a phone number, providing him with their email addressses.