Read Gertrude's post (two before yours).

It's a common tactic of spammers to use someone else's email address in a (mostly futile) bid to beat spam-blockers and Black-lists.

They aren't posting from the victim's mailbox, or even from the victim's mail server - they're just using the email address in the From: field.

It's highly-unlikely that passwords have been stolen. The emails probably originate from the Asia-Pacific region and the nearest they have been to the victim's mail server is when they get bounced by sysops who don't know how to handle spoofed emails.

As said above, press delete and move on, you can't stop them, you can only ignore them.