I am seeing a very strange thing in my website logs. I am getting visits
from someone whose IP address is known. Their browser string looks like
this:

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; FunWebProducts; 1.22.1 ;
..NET CLR 1.1.4322)

I.e.: IE6, WinXP, and Fun Web Products browser add-on.

When this visitor hits on image files or downloads an .exe, the IP address
shows as their actual IP address. But when they request a web page, the
remote IP address is somewhere in San Diego (CERFnet) or Cary, NC (Cable &
Wireless). So...the browser has been hijacked. The question is, by whom?

I asked this person to disable the Fun Web Products software, and they
claimed to have done so. But the web logs still show the same browser
string, and the remote-location IP addresses.

Anyone have a clue whether this is a Fun Web Products thing? Does their
PopSwatter product actually send all web page requests to other locations
for filtering, and, if so, how can they say their software is not spyware?

nf