Yup, "Extreme Picture Finder" is the exact UA from beginning to end.
The IP was
99.95.nnn.nnn
but I kinda assumed blocking by UA would be more effective. It's splat in the middle of an innocuous ATT range. It might even be a human user's IP; don't know how that works.
Looks like earlier version UAs were "Internet Picture Finder." And when "Extreme Picture Finder" is bundled with "Internet Search Tools" it does not display a UA entry of its own at all.
Further pawing through raw logs suggests that the very word "Internet" occurring anywhere in the UA string is grounds for blocking. I find:
from someone blocked by IP so long ago that I can't even remember why I blocked them *
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Rogers Hi-Speed Internet; SV1; Alcohol Search; .NET CLR 1.1.4322; InfoPath.1; .NET CLR 2.0.50727)
and (here, the "MSIE <6" ** would have got them blocked anyway) Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; Cox High Speed Internet Customer; .NET CLR 1.1.4322)
and similarly Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Cox High Speed Internet Customer; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 3.1)
Further afield: Internet Explorer
Really. In full. And ### and ### it all, I overlooked them thanks to forged referer that got them auto-ignored in log wrangling. That last one lives at ... well, ### again. It's bluecoat, using a fractionally different IP than the exact address they've always used with me in the past. But what are they doing, snooping around images with a forged IP? That's not their normal behavior at all.
* Looked them up. It's websense. Blocked eons ago on the "I don't like your face" principle. Using forged UAs is not calculated to make them any handsomer.
** MSIE 6 can only come in if they arrive via a search engine. Some people really do have very old computers.
