a 4XX status code response would be most appropriate.

I add their IP address to my firewall block list for a period of time that depends on how bad their actions were.

I think you may be thinking of wpoison

Die, spammer, die

Is that German?
[youtube.com...]

Seriously 4XX

a 4XX status code response would be most appropriate.

But which 4xx? For some types of requests, such as ones in /wp-blahblah, I like to return a manual 404--meaning the server doesn't have to waste time looking for a nonexistent file on the off chance the robot wasn't blocked on other grounds--because it gives no information. A 403 says “I’m onto you”; a 404 says “Er, dur, I have no idea what you’re talking about.”

For certain types of /contact requests--typically involving a specific other page as referer--I redirect (not rewrite) to an all-purpose page that says among other things “You have inadvertently replicated the behavior of an undesirable robot”, with option of continuing on to the the Contact page. (Nobody ever does.) In fact I use this page for several purposes. At least 99 times out of 100 the text is a barefaced lie, but it does no harm, and is less insulting in the rare case when it is true. Currently its main function is to intercept human page requests from geographical regions where I have reason to believe nobody ever reads the search snippet, so why should the server go to the work of sending out a complete page.

Is that German?

Funny, I tend to think of spammers as grammatically masculine. (Quick detour to Cassell's Dictionary assures me that beards* are too.) With the possible exception of the ones that hit Disqus threads with a made-up female name.


* Granted, it would be funnier if beards were grammatically feminine, but the German language doesn't have much of a sense of humor.

Im Using Cleantalk Antispam and Spamfirewall.

For the past year I've been keeping notes on spam IP addys to see which ones were one-offs and which were not.
Now I've been dropping cloud server IP ranges into my htaccess to block them from scraping or hack probing some of my sites.

Strangely, or maybe not, I find the process of researching the IPs, documenting them, then adding to the block list to be very relaxing.

Just last night I spent and hour and a half blocking a troublesome developing world telecom IP range as well as 80% of a cloud hosting IP addys that pissed me off because they were hitting one of my sites really hard.

For the past week the amount of spammers and scrapers have been the lowest in a long time. So that's a win.

Aside from that, Akismet, WordFence and Fail2Ban (at server level) are pretty useful.

WordFence makes it easy to do some of the more tedious tasks, like blocking Tor Exit Nodes without having to block over a thousand individual IP addys. But I try not to rely on WordFence too much as it can get resource intensive. It's very useful for tracking bot trends.

As my .htaccess grows I wonder if there are any IPs left to block ... then I realize that IVP4 is 4,294,967,296 addresses.

IVP6 is 340,282,366,920,938,463,463,374,607,431,768,211,456 addresses.

Looks like a long road ahead. (sigh)

... and that's why I changed over to header-based blocking back around 2015. Over the years I have also had to block a handful of IP addresses when their humanoid robots become too vexatious, but that's very much the exception. (At current count, I make it 34 lines of “Require ip”.)

Heh! I see my exaggeration and humor didn't hit the mark. I just looked, I have 67 lines of ip deny, so it really isn't that much for an itty bitty site. However, it always means I am reactive rather than pro-active.

On the other hand, I've never explored header based blocking. Is there a source/sample I can look at? Always ready to learn something new.

... I've never explored header based blocking. Is there a source/sample I can look at? Always ready to learn something new.

almost 10% of the threads you post in are in the forum where we discuss exactly this.

Blocking Methods [webmasterworld.com]

As my .htaccess grows I wonder if there are any IPs left to block

At the end of the day you can be shooting yourself in the foot and block potential clients.
There are mail services that use random IPs and dynamically assigned IP addresses. So all you can be blocking is whole networks of innocent services.

Assumptions that all folks use php, I don't.

Blocking I do is narrow/targeted.

As I said 67 lines ... pretty doable.

Thanks!

>>>>you can be shooting yourself in the foot and block potential clients.

We're not talking about email spam. Spam bots are bots that fill out forms or fake member profiles.

There are also hack bots that probe a site for vulnerabilities.

Then there are scrapers that steal content.

Not likely when legit users to an English language site are blocked when most of what's being blocked is web hosts, cloud hosts, VPNs associated with hackers and spammers, TOR exit nodes and developing nations that have all have a years-long proven record of traffic consisting of hacking bots, comment form spam, email form spam, etc.

Okay, well maybe the OP is, lol. But email spam bots quite often come from the same origins as I described, web hosts and cloud hosting platforms.