Yes, that's correct.

OK, so I understand you use your own smtp server on your own hardware and then that connects directly to gmail's mx, I don't see how someone could take advantage of that unless you were using some sort of shady ISP / colocation service which I'm guessing you're not. 🤷‍♂️

We are not using any external service. We are sending the notifications directly from our web server.

I tried that, but reproducing can be flaky at best in such situations.

What service do you use to send out forum emails (notification, registration, etc)? Everyone in that chain has access to the email addresses as well.

We have no indication that our user database was leaked. And there are only three people (including me) who have the access. I'm sure none of us did share the addresses with anyone else. Also you are the only one so far, who reported such problem. I'm not sure how to investigate this. Do you want to try to register another address?

Hello Martin, thanks for the reply. Unfortunately both things seem to be linked in time. If you say you do not share email addresses, then maybe something like this is happening unknowingly. Maybe someone who has access to the database is doing that, or maybe you have some form of data breach happening. Do you want to investigate this issue?

We do not share the addresses of our users.

Hello,
I have recently signed up to the winscp.net forums in order to be able to post here. It was a mistake. This website shared my email address with kiwi.com who now send me spam about flights. This is the only website I've signed up to on that email address since several months. The spam arrived less than a day after signing up here. It is the first piece of spam ever to arrive on that relatively new email address.

Please explain to me why you share people's email addresses with spammers.

Thanks.