Email spam is a critical problem to the Internet for a long time. The average amount of spam mail reached 72.1% of all email traffic in the world in 2012. The greatest threat to the email service providers was the spam mail sent from botnet, because the spam mail sent from botnet was accounting for more than 78% in 2011; therefore appeared many anti-spam solutions and techniques that were focus on the botnet. Owing to these anti-spam techniques, botnet spam is not effective as before. Spammers are finding new way to send the spam mail. One of the effective methods is using compromised accounts (or bot accounts) to send the spam mail because compromised accounts have good reputation IP addresses and compromised accounts send the spam mail with complete SMTP implemented server, such as Gmail, Yahoo!Mail, and Microsoft Live Mail. The spam mail send form compromised accounts are very difficult to be detected by any anti-spam techniques. Hence, we focus on the features spammers cannot easily hide. According to our research we find that normal users usually do not reply to the spam mail. Moreover, our empirical analysis reveals that the compromised account actually have low reply rate. We develop a system called 'Hawkeye' that can find the compromised accounts effectively by checking the account's reply rate.