dstiles - 9:21 pm on Nov 4, 2013 (gmt 0)
This may go beyond server-blocking. There are a lot of general "attacks" coming from compromised DLS-based machines or from DSL-based clever-clogs trying it on. And bad bots that switch UAs are not in the majority in my experience.
There are ways to trap bots (or at least, chancer humans) using header fields but does the subject of this thread send headers? The title "headless browser" suggests not but I think that's an incorrect reading on my part. If header fields are still sent AND are screwy then we stand a chance. Once they start putting believable header field combinations into bots, then we're stuffed.
Meanwhile, perhaps a few more in-page traps leading to IP trapping?