Spam message using valid email?

[WebCMS]

A guest sent a spam message through Contact form using a valid email address (admin's personal hotmail that is not associated with any member) and we receive a "Verify your email" notification at the personal email and after verification, we get the spam message delivered. How is this possible?

"Verify your Email" received at admin's valid personal email address (not associated with any user) - you can replace the "domain" with our domain name to derive the email address:

/index.php?app=core&module=system&controller=redirect&url=https://domain.com/contact/?do=confirm%26key=3d71bd549c55805525a41ab06374a695%26email=<domain@hotmail.com>&key=76e04b511b33a076abd72f1a33d7e5d166bf11bd855743773be29f7758394a30&email=1&type=contact_verify

After clicking on Verify, the spam message is received at "Incoming email address"

In essence, I'm verifying my own email address to receive a spam message sent by someone using my personal email address. The spammer doesn't need access to my email account or password - just the email address to spam me as I'm verifying the message as valid because I wanted to see what it is. Did they grab my personal email address somewhere which is brand new and I never used it anywhere?

How do I prevent this spam in future now that the user knows a valid email address that I verified already?

Edited March 28 by WebCMS

[Jim M]

Sorry, it is a little confusing as email verification and the Contact Us form are two separate things. Also, the link you provide there has keys present which are specific to an instance of an email verification. It sounds like the user has attempted to register or change their email address and receive the email verification email which is correct and not "spam" as you're stating.

To prevent further confusion, could you please share a screenshot of the email? 

[WebCMS]

When the guest sent a message through Contact form, we got a "Verify your email" message at personal hotmail. After we verified it, the actual spam message got delivered at incoming-email-address.

You can add our domain to the beginning of the link and replace "domain" with our-domain-name.com@hotmail.com to derive the full URL (the email is brand new and never used anywhere - how did they know this email address?).

The message is spam (prolly a bot). Is it possible to prevent further spam messages using the email that was verified?

I tweaked the incoming-email-address address and domain display values before taking the screenshot:

 

Edited March 28 by WebCMS

[Jim M]

I'm assuming you setup this email to receive contact us requests? Thus, this is the system verifying the email before sending you the contact request. This is not the user that sent the request.

[WebCMS]

Under Email Settings, both Outgoing and Incoming email addresses are the same (support@...).

Contact Us email is set as Incoming-email:

 

I scanned through the SQL backup taken couple of weeks ago and there is no trace of the personal hotmail address in the backup.