a) The BBC link to the original paper. Yay!
b) The ethics of it appear rather dodgy from the BBC article, and slightly less so from the paper. The article reads:
They created several so-called "proxy bots" […] The team used these machines to control a total of 75,869 hijacked machines and routed their own fake spam campaigns through them. […]While running their spam campaigns the researchers sent about 469 million junk e-mail messages.
The paper argues that all they did was modify spam that was going to be sent anyway, and by directing users to their benign online pharmacy site (which intentionally reported an error on credit-card verification) they were strictly reducing harm. They don't discuss the ethics of using the Yahoo, Gmail and Hotmail addresses they created for their research.