Though they seem to have died down recently, some months ago I started seeing spam emails sent from friend’s email addresses advertising Chinese computer hardware wholesalers. Evidently the spammers had managed to gain access to the user’s email account and had used their address book to send the messages – a good trick as many email clients make exceptions for people in address books. A variation is used by Nigerian 419 scammers who fake an email from the account’s owner stating that they have been robbed/lost their luggage etc. and to send money to them by Western Union.
I emailed someone today who has a Hotmail address, and received an auto-respond email with a similar spam message. I’m guessing that the person had had their account compromised, and the spammers had set an auto-responder up with their spam message in it. Even though the owner of the address has presumably got control of their account back, they haven’t changed the auto-responder.
Remember, never give your email password to anyone, even legitimate looking web sites that want to search your address book for friends. The sooner more sites adopt OAuth, the better.