We have an Exchange 2010 (SBS) server which is delivering small amounts of spam to a particular address that doesn't (or shouldn't) exist. The email appears to be being sent to email@example.com and it's being delivered to firstname.lastname@example.org, email@example.com and firstname.lastname@example.org - This suggests it might be an address on an internal distribution list but we can't find anything to support this theory. It's only a small company so we've been through the Exchange mailboxes looking for this address but can't find it anywhere.
In short, it's being received on an address that shouldn't exist and it's arriving in several people's (but not eveyone's) mailboxes.
Looking at the header of the email, there's no evidence to suggest that it's being received on a BCC - the only email addresses mentioned are the sender and the unknown address on our client's domain.
The server is generally well configured and not set to receive 'catch all' emails.
The email also shows that it has been scanned for malware prior to delivery which suggests that it doesn't originate from within the local network since the scanning is outsourced and only scans external emails.