Do the offending sites just spoof the 'from' address or does it really
use the victim's mail account to send these mails! If it is indeed
using the victim's mail id will not the victim resetting his password
prevent further abuse .... like it happened in suhail-yaari case!
regds,
mano