I've recently started receiving the occasional piece of junk mail from friends and colleages who have e-mail accounts at some of the larger webmail services (Hotmail, GMail, etc). The messages genuinely seem to come from their accounts, with proper message headers indicating that they were really sent via the webmail service, and sent to everyone in their address books.

This has been noted before and is apparently becoming more common:

How does this happen? Best guess on what I've read so far seems to be that people have voluntarily given away their account login details to various "social networking sites" to automate inviting their friends. These sites either behaved in a less than ethical manner, or were subject to a security breach. (How many of them routinely use HTTPS -- secured web connections? Probably not many.)

The other possibility that needs considering is use of the services on open wireless networks, such as you might find in cafés and airport departure lounges. Theoretically anybody could be listening on the network, picking up your login details. Apparently both GMail and Hotmail use HTTPS for logins, but many webmail services do also offer unencrypted POP3 and IMAP4 logins to their services, which might be more susceptable to attack.

However this is happening, if the exploit is not blocked fast, then it will pose a major difficulty for automated spam blocking systems, as it makes discerning between spam and ham that much more difficult. Projects like SURBL:http://www.surbl.org/ may still be able to help, as rather than looking at message characteristics, they look at the URIs(Uniform Resource Identifiers) included in the message, to check if they've been spotted in known spam before. It may be that we have to start treating all messages from the major webmail hosts with a higher degree of suspicion.