Read on if you'd like to know more.
Many people receive spam messages from an address at a large webmail provider (usually AOL, Yahoo, Hotmail), where the content of the messages is usually just a single URL.
These messages are likely a class of spam sent from compromised (hacked) but legitimate webmail accounts. What is apparently happening in these cases is a spammer has obtained control of a webmail user's legitimate account, and is using it to send spam without the knowledge of the account owner. The spam messages are typically sent to other addresses associated with the account -- addresses in the address book, and/or addresses parsed from messages in the sent & received mail spool for that account. This implies that the owner of the sending account is likely to be someone who has corresponded with your user (i.e. someone your user knows directly -- a friend or business associate), or possibly someone who is "connected" indirectly with your user, perhaps by being a cc recipient on a message sent by a third party to both your user and the spam source account.
These messages tend to be characterized by minimal content -- usually the Subject header line is empty, and the body is also empty except for the payload URL being advertised. The URL itself is often a web page on a legitimate hosting service, or a page placed on a compromised but legitimate web server. That being the case, the only features that can potentially be used to identify the message as spam are the sender address itself, and the URL. Since the sender address is legitimate, it is typically inappropriate for Proofpoint to include it in the spam definitions provided to all customers. This leaves the URL as the only appropriate feature to block the message, and this is usually not known in advance of its use in spam. As a result, it is very difficult to block these messages using the base spam classifier in PPS.