I could have also said phising.

It happend to me yesterday (reconstructing events):

  1. Phising email sent to users.
  2. Some of them are always stupid to reply
    • and they send their password of course
    • or submit the google form (reporting abuse on google forms is futile, google does not care)
  3. Some time later something or someone (I suspect part of it is human) logs in with the password.
  4. They use the web interface (which can be ajax, so not sure how/if it can be automated reliably).
  5. They send millions of spam. (They do not hurry, but it is still recognisable. At least from the bounce rate.)
    • the sent spam is retained in the outbox

The good news is that this supplies valueable metrics to setup my rate limiting policy daemon. :-)