I have a dozen or so machines that APPEAR to be accessing this address
through the proxy server on a continual basis. The protocol column
lists "http", "8080" and "hosts2-ns"(I have no idea what the last one is!)

I have pulled audit logs from the Border Manager server for the last three
weeks. Each week, it shows that the most traffic was passed through the
proxy to The packet size is anywhere from 50 bytes to 100K

I scanned several of these machines intensly for virus and adware with no
luck. All of the running services are valid. One of these machines was
just built. (All are Windows XP SP1)

I have attempted to determine the owner of this address. It is owned and
managed by IANA, but they will not respond to my e-mails sent
to "abuse@iana.org." A port scan of the address turns up nothing. It
does not appear to be a working address, yet the BM logs tell a different

Here is where I pull my hair out!

I put a sniffer on the most active workstations listed in the logs and
removed the proxy settings. After 24 hours, there was not one request for
this address.

Second, I put a sniffer on the public side of the BM for 24 hours, Again,
not one request to this address.

Why does the BM log show this address being accessed yet the traffic
suggests otherwise?

I thought I would ask before sniffing the actual proxy traffic. This will
be difficult as the address would be imbedded in the packet
destined for the proxy server. I would have to look at each packet
individually and see what is being requested.