Spammers are always looking for ways to circumvent spam control techniques. So, one of the things spammers value most is relationship data.
If they know that
bill@example.com is accosiated with
mary@sample.com, they can send an forged email to mary that appears to come from bill with a high degree of confidence that it will not be filtered, and will probably be opened. This email doesn't have to (and probably doesn't) originate at bills computer.
They have a number of ways to get this. Some involve malware (viruses, etc) that steal your address book. Some trick you into voluntarily revealing that information.
Just as an example, here's a scenario. Some websites have cute internet greeting cards that you can send to others. You enter your email address, your friend's email address and pick a card. Suppose you pick a HAPPY BIRTHDAY card from a spammers website.
You have just given them your email, your friend's email, and the approximate date of their birthday. Next year, the spammers can send an email from you to your friend with the subject 'Happy birthday!'. Do you suppose they will open that email? What if it has a link to a malware loader in it? What are the chances they'll click it?
The takeaway here is:
1) The email protocol (SMTP) is older than the internet itself and was not designed with any sort of security in mind. There is (currently*) no sender authentication. So, everything about an email that is immediately visible to the normal user is easily forged.
You can not believe the FROM field. Just because it says it's FROM your friend, does not mean it came from their computer. Anyone, using only the software that comes with Windows (or any other operating system), can forge an email that appears to come from anyone else, and send it anywhere. There are no checks* to make sure the sender is who he says he is.
2) Never, ever enter anyone's email address other than your own into any website. It is not YOUR information to give them. How would you like it if your friends gave out your phone number to any yahoo that asked for it? It's the same thing.
3) Never, ever open any attachment or click any link in an email. Only when you have independent confirmation, is this safe. For instance, your friend calls you and says "I just sent you some pictures of our new RV, check your email".
4) Banks, the IRS, UPS, and other similar institutions will NEVER send you emails with links in them asking for your information. Never.
5) Links are easily forged to look like they will take you one place, but actually take you somewhere completely different, even in forums like this. See where this takes you:
http://www.disney.com Don't be fooled!
*there is SPF but it is not widely used yet.