A couple times a month, my smallest site is visited by an apparent robot from an IP belonging to a well-established, reputable ISP. Page and js only (it would get css too, but there isn't any). Dating back a year, always with the identical humanoid UA.* On a whim I fired off the form letter that says "Please tell the user at such-and-such to clean their machine." After some further back-and-forthing, I got a reply that says --yikes! I'm not violating The Rules by quoting, am I?--

This IP belongs to a trusted source doing malware research. They are replicating viruses on infected computers for research purposes only.

Say what now? Is this something everyone but me has always known about? Something tells me the ISP is not going to divulge any more information.

Looking up the UA, I find it in only two other places. One is in the same site's records from a different IP, this one belonging to a web security firm -- afaik, no connection to the Major ISP. And one isolated visit to my primary site, months ago. (That's how I know they would have got the CSS, had there been any.)


* Further puttering around as I write this post reveals that the UA is also almost identical to one used for, hm, another well-established and comparatively reputable purpose. Is this the Neiman Marcus of robots? No wget or python urllib for us, nosirree, let's get something just humanoid enough to slip under the radar.