I agree this is obviously K2S at fault, but what do you think about the fact we never see them in our browsers? Ever ever ever.

I notice JD uses an IE user agent string... but I'm wondering if there's some other way they spot these requests and give them hard/impossible CAPTCHAs.