I recently had something similar and someone pointed me to an undocumented SQL stored procedure called sp_who2 (I think). This allowed me to find that an http call from a client called “website” was the culprit, and an email to all users, "hey, anyone have a computer called “website” that I don’t know about? " came up positive.