Forget IP.

It is actually something installed on visitor's PC.
The original referrer is a result of the search on G images. Immediately after that is the request from mAgent for the same document, being that a picture, PDF or a regular page.

Would this fall under kind of spyware or adware? I guess a visitors are not even aware of that running on their PCs.

Why would Mail.ru install that onto people's PCs?

Finally, is there any reason to allow Mail.ru to access our sites?

Thanks

This Mac person can't speak to the file-related issues, sorry. But FWIW, I've blocked Mail.ru -- both Host and UA -- for over a year with no ill effects.

-----
aurora3.mail.ru
Mail.Ru/1.0

robots.txt? Yes BUT promptly ignored it.

-----
proton.mail.ru
Mozilla

robots.txt? NO

-----
194.186.55.207
Mail.Ru/1.0

robots.txt? Yes
(Hit via IP but has rDNS: my141.mail.ru)

This just came around for the first time, courtesy of a .cable.rcn.com visitor. FWIW:

* The mAgent hits alternated with:

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; GTB6.4; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)

* The MSIE referers were a similar-business site's generated search result, not a major search engine's per se, or any image search, etc. mAgent had no referers.

* The pattern:

17:11:39 - MSIE; no ref; favicon.icn
17:11:39 - MSIE; no ref; /
17:11:40 - mAgent; site ref; /
18:52:18 - MSIE; no ref; /
18:52:19 - mAgent; site ref; /

* The format of the referer search was:

http://the.referersite.com/example_description.cfm?sa_id=123&search_city=New York

If mAgent kicks in like malware, spyware or adware, or worse, perhaps it's keying in on something in the string, like that packer'd JavaScript exploit that hijacks Google referers and injects a spam-loading spam div. Or something. (Sorry, I forget the name of the exploit.)