I am not sure how this is possible, but I suspect spammers are using our email address to send messages to people.

Our emails are hosted by GoDaddy. How is this possible and how can we stop it?

Do you mean you think they are hacking your email and sending things from your ISP, or are they just copying your addy and making people think they are coming form you?

Is it possible that some email went out that included the entire list of addresses?

I've been surprised a few times when I receive bulk-type email and could see the other recipient's addresses.

Spammers are not sending email from your address, they are just pretending that the email originates from your domain name.

This is extremely easy to do and hard to stop.

Try using SPF (Sender Policy Framework). This is added to your domain zone file, and allows you to say which email servers are permitted to send for your domain. If a receiving server uses SPF validation, it will check to see if the domain the email is coming from has an SPF listed, and if the email isn't from an allowed server, it will reject it. If the domain doesn't have an SPF nominated, or the sending server matches the SPF nominated servers, then it is accepted.

It isn't perfect, and will only work really well once receiving servers have it setup, but it's a start - and if people start demanding it - then it will make a difference.

More information can be found here: www.Openspf.Org/

Contact GoDaddy and tell them to set SPF records for your domain.

If you are using Google Apps on GoDaddy, then the instructions are as followed:

To set your domain's SPF record, you should have access to your domain's DNS settings. On your DNS resource, publish the following TXT record: v=spf1 include:aspmx.googlemail.com ~all

Source: www.google.com/support/a/bin/answer.py?hl=en&answer=33786