According to Apple [support.apple.com], they can come from anywhere in the 17.0.0.0 block. The UA and reverse DNS should be used to separate the bot from Apple employees.

Well, that ain't gonna happen. Anyone can forge a UA and there's a lot of hassle getting rDNS. I'll just have to keep an eye on the accesses and enable the ranges as and when.

Although: anyone know how apache (with php) can easily and quickly get an rDNS response AND keep it live for a reasonable period - say several days?

Nobody except Apple can forge the 17.0.0.0 range of IP addresses. The combination of IP range with either reverse DNS or UA should be safe.

Other question is, why would you block the Applebot? It feeds Siri. It would be great if someone asks Siri "What is the best website" and Sire comes up with the answer "Go to dstiles' site".

Well, I know the IP can only be forged with a LOT of effort and is unlikely. :)

If you rely on 17/8 as the range and then check for applebot - well, that was my point, really. A lot of cloud/etc stuff is on 17/8 and I don't trust it. rDNS, yes, fairly safe but it's extra work for the server to get it - and I've yet to find time to work out how.

I've never intentionally blocked applebot. In the current instance I got several 403's overnight and fixed them with an additional IP range the following morning.

I’ve never bothered to look beyond 17. Unlike so many /8 blocks, the whole thing still belongs to Apple and they don’t seem to be renting out to sketchy operators like some ranges we could mention.

Faking an IP isn't necessarily hard--but it doesn't do you any good. It isn’t like a spam caller putting in a fake phone number, or a bogus return address on snailmail. I like to compare it to giving a fake address when ordering something online. You won’t receive the package; the effect is either to incommode someone else by causing them to receive stuff they don’t want, or to hurt the business by making them send things out that then have to be returned.