How does this work? Verbatim except IP and filename. "example.com" won't cut it, since that's the whole point of the question.

ww.xx.yy.zz - - [22/Oct/2012:23:26:49 -0700] "GET /directory/subdirectory/images/filename.png HTTP/1.1" 200 2325 "http://localhost/main.jsp" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2; Trident/4.0; .NET CLR 1.1.4322)"

ww.xx.yy.zz is not a human; it's the IP address (fixed) of the site that uses the image. Apache server. It's an authorized hotlink -- /main.jsp is the correct page name -- but of course I didn't authorize no "localhost", so 2325 is the size of my "no hotlinks" file.*

I have no reason to think the UA is faked in any way. (There's a backstory which I had better not tell, although it's pretty entertaining.)


* Took me a while to figure this out. Ironically it's bigger than the requested file.