It's not clear whether you want the user-agent block combined with the evil-ISP block or in addition to it. I assume the blocks are separate. If not, copy your existing user-agent RewriteCond into the new block of code, making it either the first or second RewriteCond.

I want to warn you that the following code is extremely inefficient. It requires a reverse-DNS lookup of the "evil-ISP's" IP address as {REMOTE_HOST}. This requires your server to request the reverse-DNS of the IP address that it receives with the request. So, while the client is waiting, your server must send the IP address to the DNS system -- which may be local, or may be off-site -- and wait for the response. This ties up the server thread until a response is received. There is also the possibility that no response will be received, and in that case, the requesting client -- guilty or not -- will time out.

Many hosting companies disable the reverse-DNS feature because it is so inefficient. So if the code does not work, that's probably why.

I suggest that you qualify such reverse-DNS lookups as much as possible, and only do them under rare circumstances. To do this, you might consider blocking only a few critical files, a few file types, or only if the user-agent matches some not-very-popular user-agent.

RewriteEngine On
#
RewriteCond %{HTTP_USER_AGENT} ^Mozilla/5\.0\ \(Macintosh;\ U;\ PPC;\ en-US;\ rv:1\.0\.2\)\ Gecko/20030208\ Netscape/7\.02 [NC]
RewriteRule .* - [F]
#
RewriteCond %{REMOTE_ADDR} !^123\.45\.678\.9$
RewriteCond %{REMOTE_HOST} evil\.isp\.com
RewriteRule .* - [F]
#
Allow from all

Note also the corrctions/refinements to the user-agent pattern. In mod_rewrite, the "/" characters need not be escaped, while the "." characters should be escaped as shown.

Jim

Thank you Jim.

Even if it's inefficient, that's OK; I can leave the command up for a couple of months, until the evil person gets the idea. Hopefully after that, they'll have found another toy.

;-)