Present situation: I am receiving emails at a few of my email addresses, different domain names, all housed on the same server. The emails ares spoofed (appear to be coming from each of the email addresses), but looking at the headers, they are coming from some other IP address.
I want to dismiss this threat. However I am a little concerned, as I don't know of a way for someone to discover email addresses without some access.
If you've used those email addresses anywhere, particularly on any public access forum, they were likely swept up.
If they were part of any of the multitude of public breaches that have taken place over the years, they were probably swept up.
If they were in friends or family address books and used in "CC" blasts to many places, they were probably swept up.
If they are part of a reasonable guessing algorithm pattern, they may have been generated by spammers.
In general there's no email discovery method, but keep in mind that until that last couple of years, due primarily to Google efforts, federated mail server to mail server connections were generally not encrypted. This allowed content sweeps from anywhere in the path. Due to efforts by Google, about 90% now use encrypted federated connections.
There likely is no threat or concern as long as you don't respond to the emails, either intentionally or unintentionally.
