@Tony @IrvSp 

WHEW!!!

So in contacting my ISP today, I got someone who did more checking into things than the last agent I was working with.

As it turns out, the webmail server was doing a basic IP check then using a reverse domain lookup to verify.  12 horses was a very old client which they let go, probably due to 12 horses being malicious in their activities.  The IP they had been assigned via static IP had just not been cleared out of the naming system on XMission's side :P  .  

When the webmail server did the IP check and reverse domain check it then probably noted the old record on their server that hadn't been fully audited and that's why it gave me the 12 horses.  As well, ICANN may still hold old records which may have also attributed to the bad reverse domain lookup results.

They assigned my router MAC a different IP in the DHCP assignments (reserved DHCP) and I got a different last known login location using the same router.

They thanked me for helping them see they needed some further auditing on some of the older IP ranges they have used.  I wish I could have gotten this agent from the start as it is unusual to get anything but the best support from any of their agents!

Now aside from that, a member of Avast did some really advanced checking into things and found the domain is parked yet also infected with a clickthrough hijack link somehow.  So even though my router is just fine, we did end up finding a URL that is being used for malicious intent:

Avast Forum Thread - this is a link to the Avast members post but a couple of others did some amazing reseacrh if you want to view everything we did on this.

I am very relieved to know I wasn't dealing with some new NextGen exploit and ended up a target.

Either way... THANK YOU TO ALL WHO WORKED ON THIS.