Reference Image: https://im.ge/i/bug.jwhR4
I noticed something at my customer site that could be a possible security bug. Every often, an email gets inserted in to the email queue by a spammer (see image). The Storefront has multiple email accounts configured and the from/to address on the spam message is the email account marked Default.
How is the spammer able to insert this message in the message queue? Is it a security bug?
Note: This is a production website. All passwords are sufficiently strong. No default passwords used.