I'm using Amazon SES email from the django-ses module. I have two SES-verified addresses; SES is restricted to sending only to those addresses. There's a DKIM string on my domain's DNS configuration. SES is accessed using django-ses from a contact form on my website that's protected by Recaptcha.
Recently I've begun getting spam sent to those verified addresses coming from SES. Messages in Russian, messages containing website links, messages starting with "Hey guys...". I get about one per day.
There are many questions on the net about SES emails going to the spam directory. That is NOT the issue here. The emails are received by my InBox; they are just bogus, hacked emails.
I changed the SES API key and Secret key, to no avail.
Where do I look next?
(I don't have AWS Support, and find nothing in their Knowledge Base.)