I recently experienced a security issue, that apparently according to the Joomla Facebook forum post I have made, others have experienced as well. When installing a Rocket shaper, in my case Myriad, the uncategoprized contact Myriad (installed on the rocketlauncher becomes corrupted and sends spam email in the name of the administrative contact email.
I fouond that one of my sites had been spamming like this:
18 Jan 2020, 01:16 (4 days ago)
Why is this message in spam? It seems to be an auto-reply to a message that pretended to be sent from your email address.
Report as not spam
This message was created automatically by mail delivery software.
A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:
host smtp-in.orange.fr [126.96.36.199]
SMTP error from remote mail server after end of data:
550 5.2.0 Mail rejete. Mail rejected. ofr_506 
Date: Sat, 18 Jan 2020 05:16:46 +0000
Subject: Copy of: Аdult dating american оnline:
This is a copy of the following message you sent to Myriad via Parque Nacional das Emas
Find yоursеlf а girl for the night in yоur city:
I tried but was unable to find any corrupted files in the site. Do you know anything about what would cause the contact that you installed to be able to do this? There is only one component installed, and so no plug in or extention on my part should have anything to do with this.
But the issue you describe does not come about because of a corruption. When you install a "rocketlauncher" package as part of that we provide a Joomla contact (which the contact form in the demo uses). If you decide not to use the contact form (and therefore don't edit the contact provided) - or you add another contact (and don't delete the contact we provide) then it is possible for hackers to use a standard joomla url to open the joomla contact form using that contact (even if you have no active menu item).
So. To stop the spam simply delete the contact AND remove it from trash.
I also recommend that you should enable recaptcha plugin anyway to stop bots submitting your contact forms anyway.
Please search forums before posting. Please make sure your post includes the version of the CMS you are using and a link to the problem. Annotations on screenshots can also be helpful to explain problems/goals. Please use the "secure" tab for confidential information.