Change your password.
A joe job is when a spammer sends out their spams from their own account(s), and their own ISP(s)
People often give this advice. It sounds good, but I believe it is not useful. To read why, go to this thread...
How was this spam generated? • mozillaZine Forums
The point is that the "access" account (address and password) that the spammer used is probably different from the "reply to" address. Why do people assume they are the same? We can tell the "reply to" victim to change their password, but it won't solve the problem. My friend changed her password recently and her friends are STILL getting spam with her in the "reply to" address.
If we want to help people, we need to get yahoo to investigate which "access" account was used by the botnet to get into their system. I would like to start a thread on this. I think it is an important discussion.
A spammer would do that when they are depending on you to click a link or start a new email to an email address listed in the spam email. They are not depending on a reply to the From: or Reply-to: address to succeed in accomplishing whatever is being pitched in the spam email. To save resources on their end, so they don't have bounces coming back at their servers chewing up bandwidth or mail server connections, they'll use an innocent 3rd parties email address when sending the spam. Which brings us to...Huh? When would a spammer ever do this?
It's useful, I'll expound a bit below but also echo what Ray (Popowich) said. If it's someone using your email address as the sender but it not actually coming from your account; that's called 'spoofing' (aka Joe Job)
If mail is going out to your contact list as the original poster suggested, it's very likely that someone has access to the account