I generally prefer an error that doesn't indicate that there's something there worth digging into, so that'd probably be a 404. You don't want
http://www.example.com/blog/non-existent-post
to give a 404, while
http://www.example.com/admin-panel/format-hard-drive
to give a "You do not have permission to access this URL". That just screams "Find a hole and hack me!!"
On the other hand, you should think about whether you really want a webmaster notification or not. If you get the notification, what are you actually going to do about it?
I've worked on large systems that start out being incredibly paranoid about all their input, and any time they get an invalid message, they log it and possibly even page the NOC. (Error! Emergency! Attempted to fetch article 523 but it doesn't exist! It's missing! Go page the person who might be able to restore article 523 from backups!)
That's useful to work out the bugs. And, eventually, you realize that there's a pattern to the few errors that remain; they always come from screen names like "133tHotGeek4u". And you deduce that hackers have found a way to send requests for arbitrary article numbers to your server. And that's when you turn it from a log message into a report statistic so you can see what percentage of your bandwidth budget is going toward hacker activity. And then you ignore it.