wilderness - 10:59 am on Nov 11, 2012 (gmt 0)
Why bother with the host name at all? Somewhere behind the name is an IP address-- and it's less likely to be faked than anything else you could block. If you're in doubt about the full range, just make it bigger. If for example it claims to be
but your raw logs don't turn up anything from the rest of aa.bb., just block the whole /16. Or /15 or /14 if you haven't met any humans from there either.
I agree, and furthermore, if your unable to focus on the IP range?
Simply start denying Class A's (/8) temporarily, and then expanding them in follow up.