The information on the rating for angiev's site -- as far as spam received after signing up -- is pretty damning. There's no way you should be getting penile enlargement spam after registering at a real estate site.
The question that occurs to me is, can a spammer have randomly guessed the email address that McAfee entered on angiev's site? I assume there is some unique identifier McAfee uses to tell which site is responsible for which spam. Is there a pattern to it that can be guessed, given the fact that spammers don't care how many non-existent addresses they guess? After all, the bounces go to the forged "from" email addresses, not back to the spammers. Anyone on aol knows that spammers don't hesitate to send to every possible permutation of addresses on popular domains.
When angiev sends out her emails to users who have signed up on her site, does she use blind carbon copy (bcc)? Or like so many small businesses, are all the emails of all the recipients visible in the headers, so every recipient's address book will have a copy? If any one of those users gets an email worm, every email address recorded will start being used as a "to" or "from" address on emails as the worm is sent to new machines. Or if angiev's email newsletter is particularly informative, a recipient may forward it to other people with all the other recipients' email addresses included. A lot of people could end up with that secret McAfee email address that way.
The other possibility is that the addresses are stored on a machine that has been compromised. I have been submitting to VirusTotal some of the malware from links I'm spammed with. If 50% of the antivirus programs detect a malware program, that's considered pretty good. I submitted two yesterday: one was detected by nine of 32 programs, the other by only six, and it wasn't just the free antivirus programs that were missing them. The malware was from sites that the antivirus folks can find just as easily as I can, but the fully updated programs still can't detect it.
The point is, malware is constantly changing and there is a delay between when a new variant arises and when it can be added to updates of AV programs. You can have a fully updated antivirus program and still get infected, and once infected, malware programs may download their own updates to continue to avoid detection. Some load themselves early enough in the Windows boot sequence that basic antivirus programs don't see them at all (rootkits). So angiev does need to consider the possibility even if she has been a responsible user. And if the information is stored on a computer not under her control, such as her website server, there are even more possibilities for mischief.
For your own computer, you can get free help with a full evaluation of your systems at Castlecops, starting at
http://wiki.castlecops.com/MRP . Once that basic cleaning procedure is completed, if there is still any problem, specially trained volunteers will help on the forum, also for free.