What was the User-agent? Some browsers have been reported to "leak" previous referers, even when the request to your site was really invoked by typing in the address bar or using a bookmark.

It could also be an e-mail address harvester, using a faked User-agent and referer to allay your suspicions.

Jim

Could be the first option. since the IP is from my local cable company. Here is the edited string :

IP from a local cable company - - [14/Oct/2002:16:11:45 -0400] "GET /images/generique/logo_1.jpg HTTP/1.1" 304 - "http://pbskids.org/funny_folder/the_referral_page.htm" "Mozilla/4.0 (compatible; MSIE 5.0; Windows 95; DigExt)"

All 304, but cant get this IP again anywhere in the file...

304 would mean it's probably not a e-mail harvester or similar, but it could be a "page watcher" that checks your site for modified pages or objects (See recent thread on "WebClipping" in either the SE spider ID or the Tracking and Logging forum). Or it could be a regular user with a very large Temporary Internet Files folder!

How far back does your log go?

Jim

The logfile goes back from last month when this new site was put online.

It could be a user who switched his IP or connection, even on cable.

What is weird is that every single componement of the page got the phony referral string. Must be that "leaking" thing you mentionned.

I missed the detail that every on-page element was requested with the off-site referer.

I can't tell why they are checking your site for updated content, but this is not a good sign - they are faking the HTTP_REFERER. MSIE 5.0 doesn't have that bug! ;)

If I found that in my logs, I'b block it.

Jim