How did a spammer get a hold of my friend's email account and send spam from her email address?

She must have downloaded an infested file (with a spyware or adware attached) which used her address book to send spam. She should run a virus test. Most likely she is unaware of this.

There is a software called AdAware—a free version is available and might help rid her computer of many spy and adware.

You don’t need someone’s password to send email as them.

Mail is sent using a protocol called SMTP, for Simple Mail Transfer Protocol, which dates to an older time on the Internet when people were more trusting. In theory, what happens is that the sending computer connects to the receiving computer for the domain and identifies who the sender is, by providing an email address. The receiving computer acknowledges, and then the sending computer sends all the rest of the email body. Later on this was enhanced so that you could send mail to other computers, and they would store it and deliver it on in batches.

Now, what should happen, in this less enlightened age: No email server should accept any mail unless the sender’s or receiver’s email is from that domain, and the sender should be authenticated and identified by more than just his or her say-so. But that doesn’t happen, because network administrators have too many other things to do.

So what probably happened is that some spammer got your friend’s email address, and used it as the return address on a batch of spam that the spammer sent through an open relay (one of the mail servers that doesn’t check the sender or recipient).

@Master: this doesn’t require a virus to happen. It doesn’t even require access to your computer, or to your webmail.

@cwilbur That’s true. But it is another way this can happen as well (speaking from experience). Better to look into all possible causes.

She got phished.
For basic protection, there’s any number of anti malware products around.
The first thing your friend should do, if he/she hasn’t already, is change his/her email password.

The best way to keep from getting phished is to not click on anything you’re not sure of.

Here’s some advice for Limewire users: Don’t use Limewire! It’s a virus factory in there.
It’s not Limewire that’s doing this but people upload all sorts of infected files just like they did with Napster.

cwilbur’s explanation is the more common occurrence, where a spammer uses the open relay. Virii are an easy explanation, but that type of virus is not common enough.

You get targeted by these types of spammers by registering for something. Or putting your email on a random website where it can be read by a spider. Ever wonder why you see more savvy internet users typing their emails as:

johndoe at domain dot com;
johndoe [at] domain [dot] com;
j o h n d o e @ d o m a i n . c o m [take out the spaces];
johndoe a t domain d o t com?

Or did you just think they were being extra difficult and trying to be fancy?