A user in my office opened and forwarded a chain email to one of her contacts.
A few days later a different contact asked her to stop sending the email to them on a daily basis. She had not included this contact on the forward.
I ran a virus scan on her computer and came up empty. I also had a local IT company look at the Exchange server to see if he could verify that the email was in fact originating from the server and again we learned nothing.
Over the course of a few days more and more people started emailing her asking her to stop sending the email. It appears that the email is sent on a fairly regular schedule as the timestamp on the email frequently is at 7:14 AM.
I'm at a loss for what to do next.