[RD (OP)]

How can criminal-scam-type spam-email apparently come from a UK educational establishment ?

Someone I know at a UK educational establishment, ( their email ends “.edu" ), sent me an email.
Within a few hours, ( before I had read or replied to their email), I got a spam email [fake PayPal] which appeared to come via their “edu” address.

I’m interested to know at what point do the spammers obtain* my email address from the “edu" sender.
Is it at the educational establishment , or in-transit, or (hopefully not) at my end ?

BTW by Googling a bit of the spam email header I found several other spam recipients apparently from the same UK “edu” address , ( apparently there are Nigerian links ) , the spam recipients have Yahoo / Google (Gmail) accounts , so not specific to one email provider.

( * my [disposable] email address was specific to the "edu" sender , and I had never sent an email using it , i.e.  the spammer couldn't have got it from anywhere else other than the "edu" sender ).

[CliffordK]

Assuming you know the participants involved, I would encourage everyone to scan their computer for viruses and spyware & make sure their antivirus and antispyware software is up to date.

The other thing thing to do is to open "Full Headers" on the e-mail.  By looking at the routing of the message, you should be able to determine if the message originated from your friend's computer, or if the e-mail address was spoofed, and the message originated elsewhere.

It is also possible that a third party is involved.

So, say person A sent a letter to B & C.
Then if C's computer was corrupted with a virus, then the hacker could spoof a letter from A to B using the information obtained from C's computer.

[RD (OP)]

Assuming you know the participants involved, I would encourage everyone to scan their computer for viruses and spyware & make sure their antivirus and antispyware software is up to date.

The other thing thing to do is to open "Full Headers" on the e-mail.  By looking at the routing of the message, you should be able to determine if the message originated from your friend's computer, or if the e-mail address was spoofed, and the message originated elsewhere.

I did alert the sender to the possibility they've been hacked and I sent them a copy of the full header of the spam email, amongst other things their educational establishment teaches "computer engineering" and "computer science" so may make more sense of it than I could.

I think a BCC hack at the sender end is a possible explanation : unbeknownst to the sender the Nigerians get a copy of the email ".edu" sent to me, and within a couple of hours I get spam email from the Nigerians which appears to come from the educational establishment in the UK.

[CliffordK]

Hmmm, I hadn't thought about adding a BCC to outgoing e-mail, although that should be visible to the sender. 

I think some just download the entire address book and message headers, and then start spoofing e-mail using that.  If a virus remains active on a computer, then it would be best to spoof mail coming from a 3rd party to prevent rapid identification of the hacked account.

[RD (OP)]

Just ran a test on the ".edu" IP address ...

Test port scan
Attention, there are 3 open ports:

     25/tcp open smtp
     465/tcp open smtps
     587/tcp open submission

Tests Blacklist and Whitelist
The IP address is blacklisted in one blacklist
The IP address is not whitelist

Does that mean they've left doors open ? [ or that they cannot be secured ]