Odd to see them interleaved like that. I often get servers trying to access my sites via a proxy (normally a compromised broadband machine) but then it's an obvious FWD-FOR.

It's possible that the comcast user is using chinese compromised IPs or vice versa OR that something else is using both as proxies.

I assume there is no FDW-FOR involved an inay of the hits?

What's a "FDW-FOR"

Comcast has many open proxies that spammers and others frequently use. Whether this CC IP is one of those, I've not checked.

If "Foreign Data Wrapper"?

It wouldn't benefit visitors to my sites.

My pages are ALL simple html, absent any MySQL and/or PHP.
There are a mere two scripts with the root or below (one for a contact for and the other for a solitary Java slideshow.)

FWD-FOR - aka HTTP_X_FORWARDED_FOR - part of the proxy protocol: the originating IP which the proxy is Forwarding For.

Typically, in my logs, some server-based scraper/hacker IP FWD-FOR via several compromised server or (more often) broadband IPs.

If a proxy server is running in "stealth" mode the FWD-FOR IP is not given. In some cases the proxy may be a local proxy/firewall forwarding for its own IP, in others it's a nasty.

Reluctant to add this here, however it's same method.

Eleven IP ranges within one-minute-thirty-seconds.
The same UA was used for ALL the page requests, while a different SAME UA was used for all the root requests.

What's puzzling is the MS range in the middle (line break)?
Open proxies at MS?

86.100.82.zz - - [31/Mar/2012:00:29:26 +0100] "GET /MyFolder/MyPage.html HTTP/1.0" 403 - "http://www.example.com/RequestedFolder/RequestedPage.html" "Mozilla/4.0 (compatible; MSIE 6.0; Update a; AOL 6.0; Windows 98)"
86.100.82.zz - - [31/Mar/2012:00:29:26 +0100] "GET / HTTP/1.0" 403 533 "http://www.example.com/RequestedFolder/RequestedPage.html" "Mozilla/4.0 (compatible; MSIE 6.0; Update a; AOL 6.0; Windows 98)"
115.124.92.zz - - [31/Mar/2012:00:29:31 +0100] "GET /SameFolder/SamePage.html HTTP/1.0" 403 533 "http://www.example.com/RequestedFolder/RequestedPage.html" "Mozilla/4.0 (compatible; MSIE 6.0; Update a; AOL 6.0; Windows 98)"
115.124.92.zz - - [31/Mar/2012:00:29:36 +0100] "GET / HTTP/1.0" 403 533 "http://www.example.com/RequestedFolder/RequestedPage.html" "Mozilla/4.0 (compatible; MSIE 6.0; Update a; AOL 6.0; Windows 98)"
209.118.181.zz - - [31/Mar/2012:00:29:47 +0100] "GET /SameFolder/SamePage.html HTTP/1.1" 200 16929 "http://www.example.com/RequestedFolder/RequestedPage.html" "Mozilla/4.0 (compatible; MSIE 6.0; Update a; AOL 6.0; Windows 98)"
220.136.20.zzz - - [31/Mar/2012:00:29:53 +0100] "GET /SameFolder/SamePage.html HTTP/1.1" 403 533 "http://www.example.com/RequestedFolder/RequestedPage.html" "Mozilla/4.0 (compatible; MSIE 6.0; Update a; AOL 6.0; Windows 98)"
114.45.62.zzz - - [31/Mar/2012:00:29:54 +0100] "GET / HTTP/1.1" 403 533 "http://www.example.com/RequestedFolder/RequestedPage.html" "Mozilla/4.0 (compatible; MSIE 6.0; Update a; AOL 6.0; Windows 98)"

65.55.73.109 - - [31/Mar/2012:00:29:56 +0100] "GET /SameFolder/SamePage.html HTTP/1.0" 200 16929 "http://www.example.com/RequestedFolder/RequestedPage.html" "Mozilla/4.0 (compatible; MSIE 6.0; Update a; AOL 6.0; Windows 98)"

114.45.58.zzz - - [31/Mar/2012:00:29:57 +0100] "GET /SameFolder/SamePage.html HTTP/1.1" 403 533 "http://www.example.com/RequestedFolder/RequestedPage.html" "Mozilla/4.0 (compatible; MSIE 6.0; Update a; AOL 6.0; Windows 98)"
114.45.62.zzz - - [31/Mar/2012:00:29:58 +0100] "GET / HTTP/1.1" 403 533 "http://www.example.com/RequestedFolder/RequestedPage.html" "Mozilla/4.0 (compatible; MSIE 6.0; Update a; AOL 6.0; Windows 98)"
125.19.212.zzz - - [31/Mar/2012:00:30:01 +0100] "GET /SameFolder/SamePage.html HTTP/1.0" 403 533 "http://www.example.com/RequestedFolder/RequestedPage.html" "Mozilla/4.0 (compatible; MSIE 6.0; Update a; AOL 6.0; Windows 98)"
125.19.212.zzz - - [31/Mar/2012:00:30:02 +0100] "GET / HTTP/1.0" 403 533 "http://www.example.com/RequestedFolder/RequestedPage.html" "Mozilla/4.0 (compatible; MSIE 6.0; Update a; AOL 6.0; Windows 98)"
115.124.92.zz - - [31/Mar/2012:00:30:05 +0100] "GET /SameFolder/SamePage.html HTTP/1.0" 403 533 "http://www.example.com/RequestedFolder/RequestedPage.html" "Mozilla/4.0 (compatible; MSIE 6.0; Update a; AOL 6.0; Windows 98)"
115.124.92.zz - - [31/Mar/2012:00:30:15 +0100] "GET / HTTP/1.0" 403 533 "http://www.example.com/RequestedFolder/RequestedPage.html" "Mozilla/4.0 (compatible; MSIE 6.0; Update a; AOL 6.0; Windows 98)"
202.183.138.zzz - - [31/Mar/2012:00:30:28 +0100] "GET /SameFolder/SamePage.html HTTP/1.1" 403 533 "http://www.example.com/RequestedFolder/RequestedPage.html" "Mozilla/4.0 (compatible; MSIE 6.0; Update a; AOL 6.0; Windows 98)"
202.183.138.zzz - - [31/Mar/2012:00:30:39 +0100] "GET / HTTP/1.1" 403 533 "http://www.example.com/RequestedFolder/RequestedPage.html" "Mozilla/4.0 (compatible; MSIE 6.0; Update a; AOL 6.0; Windows 98)"
41.75.201.zzz - - [31/Mar/2012:00:30:51 +0100] "GET /SameFolder/SamePage.html HTTP/1.0" 403 533 "http://www.example.com/RequestedFolder/RequestedPage.html" "Mozilla/4.0 (compatible; MSIE 6.0; Update a; AOL 6.0; Windows 98)"
41.75.201.zzz - - [31/Mar/2012:00:30:52 +0100] "GET / HTTP/1.0" 403 533 "http://www.example.com/RequestedFolder/RequestedPage.html" "Mozilla/4.0 (compatible; MSIE 6.0; Update a; AOL 6.0; Windows 98)"

The puzzling question is why on earth somebody from Lithuania wishes so desperately to read about a widget person that's been dead for thirty years, while the widget article was actually published thirty-six years ago.

FWIW, I'm denying the MS IP to the Class D, and as a proxie.

RewriteCond %{HTTP_USER_AGENT} 98\)$
RewriteCond %{REMOTE_ADDR} ^65\.55\.73\.
RewriteRule .* - [F]

What's puzzling is the MS range in the middle (line break)?
Open proxies at MS?

Or M$ following the MSIE hits.

MS using the same UA as the other rogues?

It's as good an explanation as anything else :)

We all know that Ms has been devious from day one (i. e., 131.107), however it's certainly enlightening to find out their involved in a conspiracy against "wilderness" ;)

65.55.73.109 is not a bot IP but it does belong to MS.

I've had 3 hits on that IP in the past couple of days. It was acting as proxy for a UK server IP 88.208.193.215 that's been trying this a lot recently through a wide variety of proxies (approx 250 hits this month alone), mostly compromised broadband and server IPs as noted above from Afrinic as well as Apnic and Arin.

The MS one is unexpected BUT it does have open ports and has DNS of bvt.samples.live-int.com...

PORT STATE SERVICE
80/tcp open http
443/tcp open https

The suggestion, since it is being used as a proxy, is a compromised server - I only checked 1000 ports and others may be open or the hits may be from behind otherwise closed ports or from port 80.

Checking further: xroxy.com has 65.55.73.109 listed as an open proxy using port 80. Whether deliberate or "accidental" I couldn't say.

live-int.com is registered to MS through CSC Corporate Domains. Whether it is actually an MS domain or merely registered through and hosted by them I don't know but I do not have any bots listed for 65.55.73/24

Typical hits on my server (note a different UA to above but consistently "bad" UAs (each hit was "paired" - ie two hits per IP):

122.72.33.139China_CTTNET Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; FunWebProducts; MRA 4.6 (build 01425); .NET CLR 1.1.4322; .NET CLR 2.0.50727)

65.55.73.160MicrosoftMozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; FunWebProducts; MRA 4.6 (build 01425); .NET CLR 1.1.4322; .NET CLR 2.0.50727)

222.124.187.238PT_Telkom_IDMozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; FunWebProducts; MRA 4.6 (build 01425); .NET CLR 1.1.4322; .NET CLR 2.0.50727)

41.75.201.146(Nigerian server) Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; FunWebProducts; MRA 4.6 (build 01425); .NET CLR 1.1.4322; .NET CLR 2.0.50727)

The hits were to sites that typically have no real commercial value.