brokaddr - 7:31 am on Jun 28, 2013 (gmt 0)
I used the firefox user agent switcher & copied one of the UA's from my 403 log.
I tried to access one of the pages the bots were looking for.
In the log, my visit showed up as broken images and i saw only the text/links of the 403 page. (Error document /403.php - for example)
When the actual bots visit, it's just 1 click and only the page they tried to reach shows up in the logs. The css/images, etc don't show up in the 403 logs.
The 403 logs is a script I've written myself that logs every hit to "403.php"
That makes me wonder if this is IP based, then.
I really doubt you want to take the RewriteLog approach.
This seems a little scary. If I make a mistake and fill the logs up & cause a crash to the server, it'll take 3+ hrs for the data center to reboot, if my last accidental crash from filling up logs is any indication.
Look in the CP and Security Section for Deny IP.
I've checked the firwall & didn't see their IPs. Also, when an IP is firewalled they don't show up in my 403 logs.