i would check the access logs of input source. first thoughts from seeing 'troll'.. maybe theres an exploit on the input server that someone is taking advantage of... does the problem still arise with a different input source?