User a RewriteCond to detect the user agent and use a RewriteRule with the [F] flag to block those requests.

Watch out for dual-named UA strings. The Chrome UA always includes the word "Safari"; the Camino UA always includes "Firefox". (Matter of fact I just put in a bug report asking them to please stop saying "like Firefox 3.x.x" since all it does is get people locked out undeservedly.)

But you can also lock out anyone with nonsense combinations, like "Opera" and "MSIE" in the same string.

My current hair-splitting MSIE rules are

RewriteCond %{HTTP_USER_AGENT} MSIE\ (5\.[3-9]|6)
RewriteCond %{HTTP_USER_AGENT} Mac
RewriteRule (\.html|/)$ - [F]

(these browsers simply never existed) and-- ahem!-- later

RewriteCond %{HTTP_USER_AGENT} MSIE\ [56]\.\d
RewriteCond %{HTTP_USER_AGENT} !Mac
RewriteCond %{REMOTE_ADDR} !^(206|64)\.
RewriteCond %{HTTP_REFERER} !\?
RewriteRule (\.html|/)$ boilerplate/goaway.html [L]

Some of those exceptions are specific to my site; you won't need them.

Oh, and as a result of poking through raw logs for other bannables:

RewriteCond %{HTTP_USER_AGENT} AOL
RewriteCond %{HTTP_USER_AGENT} !AOLBuild
RewriteRule (\.html|/)$ - [F]

I've also got a block on "America Online Browser" but that's next door in the BrowserMatch group.

Hi Lucy,

Thank you for the guide. I'm a noob, could you please give me the exact rules to block (403 forbidden) those using Firefox 3.x.x, Explorer 6.0, Opera 9.xx and Safari 532.x?

I have blocked many spam domains, referrer words, and even some ccTLDs. However there seems to have endless domains and referrers to block.

Thank you.

could you please give me the exact rules to block (403 forbidden)

RewriteCond %{HTTP_USER_AGENT} MSIE\ (5\.[3-9]|6)
RewriteCond %{HTTP_USER_AGENT} Mac
RewriteRule (\.html|/)$ - [F]

She gave you something darned close in the above.
Simply modify for the others.

My current haiku works a charm:

<IfModule mod_setenvif.c>

# Mozilla prior to 4.0
BrowserMatchNoCase ^Mozilla/[0-3] legacy=mozilla

# malignant Mozilla versions
BrowserMatchNoCase ^.?mozilla(?:$|/(?:(?:[^45]|[45]\.(?:[^0]|0\S))|(?:(?:[45]\.0\s\(compatible;?\)|5\.0(?:\s\((?:en(?:-US)?)?\))?)$))) legacy=mozilla

# MSIE prior to 7.0
BrowserMatchNoCase MSIE\D+[0-6]\.[\d.]* legacy=msie

# Firefox prior to 4.0
BrowserMatchNoCase Firefox\D+[0-3]\.[\d.]* legacy=firefox

# Chrome prior to 9.0
BrowserMatchNoCase Chrome\D+[0-9]\.[\d.]* legacy=chrome

# Safari (inc Mobile) prior to 534
BrowserMatchNoCase Safari\D+(?:[0-4]+|\d?53[0-3]\.[\d.]*) legacy=safari

# Opera prior to 9.80
BrowserMatchNoCase Opera\D+(?:[0-8][\d.]*|9\.[0-7]) legacy=opera

# Seamonkey prior to 2.6
BrowserMatchNoCase SeaMonkey\D+(?:[01]|2\.[0-5]) legacy=seamonkey

Deny from env=legacy
</IfModule>

Never gets a whiff of the rewrite phase.

[edited by: incrediBILL at 10:23 pm (utc) on Apr 14, 2012]
[edit reason] disabled smilies [/edit]

My current haiku works a charm:

... but only because htaccess doesn't have smileys. Here they all seem to be the result of no-capture flags ?: coming immediately before an open-quote.

The Camino folks insist that Camino really is "like Firefox 3.whatever" even if it was just updated last month. So I hope there's nothing on your site that I want to see. Firefox for Linux also follows a different numbering system.

Thoughtful of you to only block Mozilla-with-conditions on English-language systems. You never know what people in impoverished countries like Germany might be stuck with.

Incidentally you don't need the <IfModule...> envelope. Nobody does, ever. It's included in boilerplate htaccess to allow for the horrid possibility that the end user doesn't have mod_setenvif or mod_rewrite or some other absolutely crucial module. Either you have it or you don't. If you don't, change hosts ;)

@iamzippy, thank you for the help.

-------
# malignant Mozilla versions
BrowserMatchNoCase ^.?mozilla(?:$|/(?:(?:[^45]|[45]\.(?:[^0]|0\S))|(?:(?:[45]\.0\s\(compatible;?\)|5\.0(?:\s\((?:en(?:-US)?)?\))?)$))) legacy=mozilla
-------

Could you please simplify the rule to block the old Mozilla versions regardless of the language systems?

I've added rules and they work great. But there're still spam visits of old Mozilla browsers from countries that do not speak English. There are a quite number of spam servers in these countries.

[edited by: phranque at 6:31 pm (utc) on Oct 4, 2018]
[edit reason] Disable graphic smile faces for this post [/edit]

Oops. When I said "open quote" I meant "open parenthesis" There exist smileys that use quotation marks, but not on this forum. Unless they're hidden away in the Members Only area ;)

Anyway, Our Fearless Moderator should come to your rescue too.

I've spent the day trying to make myself accept that if a nasty robot is already banned due to its behavior--such as asking for nonexistent php files or running around without any clothes on--it doesn't matter if it lives in such a teeny IP block that it's not worth denying from that side. Somehow a lockout just doesn't feel real unless it's aimed squarely at the IP.

@iamzippy, I got it.

@TechSense - Thanks for that. If it's any consolation, I also still get spammy visits and always will.
There's nothing you can do to stop them hitting your server, you just need to keep on blocking at the lowest level possible.
These directives just provide a basic first-line-of-defence.

simplify the rule to block the old Mozilla versions regardless of the language systems

The first directive does that, regardless of geography. No Mozilla older than 4.0.
The second handles a few oddball Mozilla signatures taken from my logs that I know to be connected with badness.

Some examples:

Mozilla
Mozilla/4.0 (compatible;)
Mozilla/4.04
Mozilla/4.61 [en]
Mozilla/4.76 [en]
Mozilla/4.8 [en]
Mozilla/5.0
Mozilla/5.0 ()
Mozilla/5.0 (en)
Mozilla/5.0 (en-US)
"Mozilla/5.0
Mozilla/5.0 (compatible)
Mozilla/6.0 (compatible)

... and a dozen more like those. I edit the expressions to counter new baddies as they show up. It's more fun than cryptic crosswords and it keeps me out of the pub.

@lucy24 - Impoverished Germans are not the issue. I doubt that any of us put much stock by language codes in legacy/faked UAs.
They're more often the output of a UA rotator, and come from all manner of netblocks including EC2, as we all know.

you don't need the <IfModule...> envelope

Who'da thunkit?

[Not sure what the edit was about. I previewed before posting and reviewed afterwards, and it looked just fine to me.]

[edited by: phranque at 6:32 pm (utc) on Oct 4, 2018]
[edit reason] Disable graphic smile faces for this post [/edit]