I have a user who received a spam message. However the user's address wasn't in the To field. I checked the Internet Message Header and it wasn't there either. The to field had a user who doesn't exist on our domain. How would this message have gotten into the user's mailbox? Would this be an example of a directory harvest attack?