Unexplained 403 errors

Over the last couple of months we have noted that a few visitors to our web site are receiving 403 errors when accessing certain php scripts. Specifically there are exactly 4 IP addresses thus far that this is happening to, and coincidentally (or not) all 4 of these addresses are based in Norway. Hundreds of other daily hits to the same scripts from other IP's work perfectly. We have searched through all .htacess files and the various security and firewall components and there is nothing that would be blocking or limiting the addresses (3 different providers) that are receiving the 403's. We responded to an email from one of these partially blocked addresses when asked why they were getting the 403's and set up a very simple php script that echos "Hello World" for them to try. Again they receive a 403. Adding IP logging to this script and asking our registered users and staff to try accessing this simple script resulted in 309 hits and no errors. But during this same time period the 403 occurred repeatedly for the Norway-based IP. The only other time I recall seeing something similar was a few years ago when defending against injection attacks questionable query strings were blocked via .htaccess. In this case a 403 was generated, but looking at the logged query string the reason was obvious. In the present case the URL is a plain php script with no query or parameters. (x.php) Any thoughts on how or why this may be happening? Sanity checks appreciated!
Chuck

 

Do you use mod_security rules?
Did you check the Apache logs on the server?

 

Seems some type of traffic filter might be there. Have you tried to whitelist the IP range of those clients getting 403 on the server occasionally?