Why does SES report bounces and complaints for emails sent to addresses not sent to?

It appears there may be some misunderstanding or unexpected behavior in your SES setup. Let's clarify a few points:

1. SES should not report bounces or complaints for email addresses that were not actually sent to. This is not normal behavior.

2. The suppression list is designed to include email addresses that have previously caused hard bounces or complaints. If addresses are being added without you sending to them, this suggests there might be unauthorized use of your SES account or a misconfiguration.

3. SES showing send activity when there was none from your LightSail instance is concerning. This could indicate that someone else might be using your SMTP credentials.

4. Changing the SMTP access key is a good first step, but if the issue persists, there might be a deeper problem.

To address these issues:

1. Review your AWS account for any signs of unauthorized access or use.
2. Check your SES console for any unexpected configuration changes or additional authorized senders.
3. Verify that no other applications or services within your organization are using the SES credentials.
4. Consider enabling SES sending events logging to Amazon CloudWatch Logs for more detailed tracking of email sending activities.
5. Contact AWS Support for a thorough investigation of your account activity and SES configuration.

Remember, SES is designed to accurately report on actual sending activity and maintain the suppression list based on real bounces and complaints. If you're seeing discrepancies, it's crucial to investigate further to ensure the security and proper functioning of your email sending infrastructure.
Sources
Understanding email deliverability in Amazon SES - Amazon Simple Email Service
Amazon SES and deliverability - Amazon Simple Email Service