Been watching our form input logs and most of them are offshore. But we have one guy here in the U.S., Florida, specifically.

His mistake was hitting us from one IP that was traced to only one class C, then hit us AGAIN from an IP that revealed the class C was part of a class A. The first instance we blocked the class C, and sent a respectful "possible security breach/spam from your IP, if this is not you, sorry" email via the whois lookup.

The second time the class A involved three companies - and lo and behold, all three companies lead to the same registrant. Same address, different company names, same person. Apparently he is using part of the IP's under three separate entities, and when I checked the whois this time he had made the email address anonymous. I obviously tipped him off, so most likely the attack is intentional.

The company I'm doing this for is not interested in offshore business. But if he's selling this bandwidth, we may be blocking legitimate customers. Should I take further action, and who would I send it to if I did?

Or should I just consider it good enough that we've blocked his attempts and let him spam at will?