In the past 3 weeks, I have started receiving spam emails using friends’ email as FROM. I notice 3 things about these emails:

1. They have many contacts from my friends’ address / contact list in the TO list, which means the spammer has or had access at some point to my friends’ email accounts. 
2. When my friends run up to date Anti-Virus scans on their computers, they find no malware or problems.
3. The originating IP address is not the user’s account. For example I have this happen to friends whose email accounts are either Yahoo or AOL, but the originating IP address is perhaps in France or as in the case today, from:

Received: from unila.ac.id (unknown [181.29.164.254]) by zimbra.unila.ac.id

Even the emails don’t originate from Yahoo or AOL, I strongly suspect it was their online accounts that were hacked at some point. 

If anyone has heard how these spammers are getting these address books, I’d be interested in knowing what is happening. I do note that one of my friends never sends me email with multiple addresses in the TO list, so I don’t think it was just a case of harvesting.