-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Previously I wrote:
One thought: since "nimda" comes from an infected SERVER (not a client) try browsing it by the advertised IP address
On a whim I decided to try it, then I found out/realized this is a "dhcp" address, meaning what hits you TODAY may come from a different source TOMORROW (and if you block THIS address, somewhere down the line a legitimate user may want to view your site, but "by chance" they happen to have the "blocked" IP address right then...) This might also explain (to a degree) why RR's techs don't want to deal with it: it is/was "transient", so if they looked "right now" it may not be a problem (or worse, you'd be fingering an innocent bystander) OF COURSE this means they would need to correlate your logs with theirs [via timestamps] "but that would require work" ;) Overall your best bet is to contact the abuse department [which you're doing] and if they want to call it spam, call it spam -- it's not YOUR fault they have problems classifying abusive network traffic. Either way, this will eventually get that particular user/server "pulled" until they clean up their server, and "overall for the health of the net", that is a good thing :) - -- Yet another Blog: http://osnut.homelinux.net -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) Comment: http://osnut.homelinux.net/TomEmerson.asc iD8DBQE+ekUDV/YHUqq2SwsRAtiBAJwLIvUAYFBsG0V29qdS8EIhv8X/rgCfQQs3 sU9qXVsVjAh3oz7Df56ftxY= =8bmJ -----END PGP SIGNATURE-----