WHEW!!!
So in contacting my ISP today, I got someone who did more checking into things than the last agent I was working with.
As it turns out, the webmail server was doing a basic IP check then using a reverse domain lookup to verify. 12 horses was a very old client which they let go, probably due to 12 horses being malicious in their activities. The IP they had been assigned via static IP had just not been cleared out of the naming system on XMission's side
.
When the webmail server did the IP check and reverse domain check it then probably noted the old record on XMission server that hadn't been fully audited and that's why it gave me the 12 horses. As well, ICANN may still hold old records which may have also attributed to the bad reverse domain lookup results.
They assigned my router MAC a different IP in the DHCP assignments (reserved DHCP) and I got a different last known login location using the same router.
They thanked me for helping them see they needed some further auditing on some of the older IP ranges they have used. I wish I could have gotten this agent from the start but hey... we did uncover a domain somehow doing something illicit
! It's also weird that I had the issues logging into the router after Polunus and Alan did their extensive checking in the 12 horses domain... even after fully resetting the router... but that is something I will just qualify as a 'murphyism' I guess
.
I am very relieved to know I wasn't dealing with some new NextGen exploit and ended up a target, yet after @Polunus research on the parked domain showing it is infected, that might be something Avast would want to either further investigate or report to ICANN.
Either way... THANK YOU TO ALL WHO WORKED ON THIS.