same source and destination

["Petrit Podrimja" <podrimja () ipko net>]

Hi everyone,
In recent days I'm seeing some alerts from my snort sensor about bad-traffic (same src/dst), the IP is 4.0.1.0 and the 
traffic is tcp with source port 80. I identified the user and I talked with him to stop it but he says that he doesn't 
know if someone from his company is sending this kind of traffic. So, does anyone know if this kind of traffic is 
generated from some kind of virus or someone is sending spoofed traffic as I'm thinking.

Thanks,
Petrit