I would email the hostmaster at concentric.net, and any other email addresses you can find.

Yup, did that... Autoreplies only...

But thanks for the reply,

Jim

If its always the same IP can you not just ban them?

Yeah,
I 403'ed that IP, but it's still messing up my logs, and leeching bandwidth
loading the "403 Forbidden" page 960 times a day...

I'm just wondering if there's something I can do to get their attention, or to
get someone to shut this machine down - I very surprised the ISP doesn't detect
those characteristic page requests and shut them down automatically - I know my
hosting service would do this!

Jim

I redirected all mine to Microsoft via .htaccess. Seems like I caught a nice little snippet on slashdot.org some time ago. Still, the volume of requests sounds like the plague in your case.

Any phone number for concentric? I was bombarded by so many spam emails from one person that it crashed my ISP's mail server. I finally located the ISP by phone, explained my plight, and they shut it down while I was on the phone.

Aha. Here's a stop-gap measure posted earlier at WebmasterWorld:

http://www.webmasterworld.com/forum3/1342.htm?highlight=nimda+htaccess [webmasterworld.com]

idiotgirl,

I followed that thread, and my situation is the same as cited by "ebess" ...
NIMDA won't follow a redirect, and my real beef is just that it keeps fetching
my custom 403 page over and over again. If it did follow a redirect, things
would be even worse, as I have a second redirect on the 403 page to another
page which explains the site access policies, and why the "user" might have
gotten the 403 page (banned IP, banned hostname, error on my part, etc.) The
custom 403 page is only 844 bytes, while the explanatory page is several KB!
Real human users with misconfigured browser security settings occasionally
fetch the explanatory page, but bad 'bots and scripts never do.

If these malicious agents did follow redirects, I might simply send them back
to their own ISP's "public" server - the one they use to sign up customers.
I'll bet they'd notice *that* real fast! :)

So, I'm already "blocking" this IP with .htaccess, but it still loads the custom
403 page 900 times a day! Not really a huge bandwidth problem, but it does make
a mess of my raw log files...

I think I will try to get a phone number and harass them 'til they do something;
The ISP's failure to shut down this infected machine because *I* complain about
excess accesses is one thing, but leaving it live and possibly infecting other
unpatched IIS servers is irresponsible!

This exercise raised an interesting question: ISPs police users, but who
polices ISPs?

Thanks all!

Jim