Q: Macbook is sending spam mail

I've received mail from my iCloud account,  I verified the mail was sent from my computer by looking at the email headers and even found the mail message in my sent items folder.  I then looked in my mail folder

/Users/[username]/Library/Mail/V3/AosIMAP-[imap account witheld]/Drafts.mbox/7XXXXX5-AXXD-4XXE-BXX0-5XXXXXXXXXX9/Data/5/Messages

and found .emlx files with the spam message

bash-3.2# more 5607.emlx

926      

Subject: Alert - Beta Testers Needed To Earn Six Figures Weekly

Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))

Content-Type: text/html;

        charset=us-ascii

X-Apple-Base-Url: x-msg://3/

X-Universally-Unique-Identifier: XXXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXX

X-Apple-Mail-Remote-Attachments: YES

From: chris [last name] <address_withheld@icloud.com>

X-Apple-Auto-Saved: 1

X-Apple-Windows-Friendly: 1

Date: Sun, 4 Sep 2016 08:04:59 -0500

X-Apple-Mail-Signature: SKIP_SIGNATURE

Content-Transfer-Encoding: 7bit

Message-Id: <XXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXX@icloud.com>

X-Uniform-Type-Identifier: com.apple.mail-draft

<html><head></head><body dir="auto" style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;">August 8, 2016 2:00 AM : Beta Testers Needed To Earn Six Figures Weekly<br><br>Discover the proper way of making passive income. Watch this =&gt; http://goo.gl/[spam url]

</body></html>

<?xml version="1.0" encoding="UTF-8"?>

the only log data I've been able to find for this event is as follows

[com.apple.calendar.agent.log] [We timed out waiting for Mail to send our email Alert - Beta Testers Needed To Earn Six Figures Weekly. It won't be sent.]

z[com.apple.calendar.agent.log] [Mail failed to send our email Alert - Beta Testers Needed To Earn Six Figures Weekly with error Error Domain=kCFErrorDomainCFNetwork Code=2 "Connections to host p25-smtp.mail.me.com on the default ports failed." UserInfo={NSLocalizedDescription=Connections to host p25-smtp.mail.me.com on the default ports failed., kCFGetAddrInfoFailureKey=8}.]

The email in question with headers:

Delivered-To: [gmail user name]@gmail.com

Received: by 10.157.40.207 with SMTP id s73csp1040192ota;

        Sat, 3 Sep 2016 23:50:02 -0700 (PDT)

X-Received: by 10.200.47.79 with SMTP id k15mr2069344qta.108.1472971802582;

        Sat, 03 Sep 2016 23:50:02 -0700 (PDT)

Return-Path: <[icloud user name]@icloud.com>

Received: from st14p25im-asmtp003.me.com (st14p25im-asmtp003.me.com. [17.162.181.61])

        by mx.google.com with ESMTPS id i129si13825091qkd.117.2016.09.03.23.50.02

        for <[gmail user name]@gmail.com>

        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);

        Sat, 03 Sep 2016 23:50:02 -0700 (PDT)

Received-SPF: pass (google.com: domain of [icloud user name]@icloud.com designates 17.162.181.61 as permitted sender) client-ip=17.162.181.61;

Authentication-Results: mx.google.com;

       dkim=pass header.i=@icloud.com;

       spf=pass (google.com: domain of [icloud user name]@icloud.com designates 17.162.181.61 as permitted sender) smtp.mailfrom=[icloud user name]@icloud.com;

       dmarc=pass (p=NONE dis=NONE) header.from=icloud.com

Received: from process-dkim-sign-daemon.st14p25im-asmtp003.me.com by

st14p25im-asmtp003.me.com

(Oracle Communications Messaging Server 7.0.5.38.0 64bit (built Feb 26 2016))

id <0OCY01600W1HK100@st14p25im-asmtp003.me.com> for

[gmail user name]@gmail.com; Sun, 04 Sep 2016 06:50:02 +0000 (GMT)

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=icloud.com; s=4d515a;

t=1472971802; bh=FvyWQyLlrOdFTdnpKS57UiGAFlP9FPQe6li9LDwBeOU=;

  h=Date:Content-type:From:MIME-version:Subject:Message-id:To;

  b=BZIAXyYX3jnGsl2nsTeBp9R1Rtz/Too3XIcPnRSUDb6GDeSskZ3Hp9Mcc8N7rJyHJ

XzPWAcrotzdup6no4OcAUhe48aNKgirk4+1L2fQiwiaMYaKOPXZz2HRay/H13oxgRJ

h2da8Anh7z/bfuOTIwnw251gnzPm7JYcI9HfN+jFooUaPhxjHXRuXG2v/a88cMHbDK

lnkKkjF4WunjXYcFKR5uL3bT516795nJg9UQclb3A/bi2LJ1PdE2qLR18XtoNCa7Hc

GjOnv2IoiuN0h7pu5y4ipS3yOzY2RBDo6LOUc6Rz1JsHF0nsitFNg+97gSR1JGoYto

MQm9hID2HpXQQ==

Received: from [my computer name withheld]

([my ISP] [my ip address])

by st14p25im-asmtp003.me.com

(Oracle Communications Messaging Server 7.0.5.38.0 64bit (built Feb 26 2016))

with ESMTPSA id <0OCY011O1WBCAB30@st14p25im-asmtp003.me.com> for

[gmail user name]@gmail.com; Sun, 04 Sep 2016 06:50:01 +0000 (GMT)

X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:,,

definitions=2016-09-04_04:,, signatures=0

X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0

clxscore=1015 suspectscore=13 malwarescore=0 phishscore=0 adultscore=0

bulkscore=32 classifier=spam adjust=0 reason=mlx scancount=1

engine=8.0.1-1603290000 definitions=main-1609040104

Date: Sun, 04 Sep 2016 06:50:01 +0000 (GMT)

Content-transfer-encoding: 7bit

Content-type: text/html; charset=us-ascii

From: [name withheld] <[icloud user name]@icloud.com>

MIME-version: 1.0 (Mac OS X com.apple.MailServiceAgent 9.3 \(3124\))

Subject: Alert - Beta Testers Needed To Earn Six Figures Weekly

Message-id: <507F74B9-1DEA-4734-A5A4-63D38987D9DB@icloud.com>

To: [gmail user name]@gmail.com

X-Mailer: Apple Mail (2.3124)

September 4, 2016 2:00 AM : Beta Testers Needed To Earn Six Figures Weekly<br><br>Discover the proper way of making passive income. Watch this => http://goo.gl/[spam url]

My question is, does anyone know where the cause of this trojan would be located and how I would go about removing it?