Okay for anyone else that might hit upon this in the future, the PayPal IPN will always rDNS to "notify.paypal.com" but the IP is subject to float. Currently it is at 65.206.229.140

It also has the annoying behavior in that it does NOT use any user agent or referer. I've asked them to consider using one (not holding my breath). This news is important to anyone using htaccess blocking for visitors with no user agent or referer (your IPN notification won't get through!)

I have to go figure out now how to modify this to either rDNS the bot or just allow access to the IPN script to anyone :(

# Forbid if blank (or "-") Referer *and* UA
RewriteCond %{HTTP_REFERER} ^-?$
RewriteCond %{HTTP_USER_AGENT} ^-?$
RewriteRule .* - [F]

amznVibe,

Adding the following conditions will bypass the rule if a request comes from a PayPal IP or the request is for your script:

RewriteCond %{REMOTE_ADDR} !^65\.206\.2(2[89]¦[34][0-9]¦5[0-5])\.
RewriteCond %{REQUEST_URI} !^/path_to_your_script

You might also consider adding this one to allow AOL's new caching proxies to work on your site:

RewriteCond %{REQUEST_METHOD} !^HEAD$

Blocking blank referers and user-agents, even with the exceptions added above, can be dangerous: In addition to problems with users of Norton Internet Security and similar products, what if PP changes their IP range completely and 'breaks' even the modified rule? What effect will that have on your biz until you notice the change? It's your decision to make, I'm just advising caution since you have a commercial site.

Jim