I've been using this example on some of my sites for a while and find it very effective at reducing spambot and clickbot activity. It not only prevents wasted server resources by these bots, but it appears to have significantly increased rpm and reduced clawbacks by preventing invalid adsense clicks and impressions.

I'm hoping someone here has a little more layout experience than I have and can sanitize and simplify it for use as a global include.

It needs some work to eliminate the need to copy/paste the forms and css into each page. That should all be able to reside in the include file if valid html and inline css are used.

I prefer a hardcoded $datFile path but others may like getCWD().

I've had no issues on low to medium traffic sites, up to 3000 pageviews, but I have no idea if this will scale well for higher traffic sites. All it's really doing is checking IP against whatever is stored in the $datFile so it depends how large you allow that to get. I suppose you could rotate that file if it gets too large.

I didn't include dynamic writing to htaccess here because I've found it too unpredictable in the past.

Viewing the formatted deny list should probably be done in a separate page too.

Feel free to add improvements.

<?php

// Bad Bot Logging and Blocking

// This script captures all visitor IPs when the page loads but only records bot IPs
// based on hidden form submission that your visitors won't see but bots will.
// Bad bots will test any form they find and once they do, their IP will be logged
// and they will be blocked from reaccessing the page. 
// The hidden bot form should be placed before any other interactive elements (eg: forms or ads) on your page.

// To then block them from your entire site, see the htaccess useage example further down

// Add the folling line to any page you want protected.
// include('./spam.inc.php');

// Place this code on the same page, near the top preferably.
// **Change the message a bit to avoid future bot detection and avoidance !


/*




<div id="non"> 
<form action="" method="post" target="_self">
<p>If you complete these fields, you will be added to our list of problem users.
 In addition, this page will no longer work for you. Thanks for visiting yoursite.com 
</p>
Email Address<br />
 <input type="text" name="email" value="">
 <br />
Contact<br />
 <input type="text" name="contact" value="">
 <br />
Comment<br />
 <textarea cols="40" rows="6" name="comment"></textarea>
 <br />
 <input type="submit" value="Submit" />
 </form>
</div>




*/

// Example css for hidden div:
/*

#non {
width:280px;
max-width:280px;
height:20px;
max-height:20px;
display:none;
}

*/

// IMPORTANT !
// IMPORTANT !
// IMPORTANT !

// Edit $datFile to the full path to your data file, in your Home directory.
// This file will be automatically created if it does not already exist


// IMPORTANT- must edit !

 $datFile = '/home/*********/public_html/badIPs.dat';


// END OF EDITABLE FEILDS


// Is there a $datFile? Create new file if not already exists

 if(!file_exists($datFile)){
 fopen($datFile, "w");
 }


// open $datFile and get contents into an array.

 $data = file_get_contents($datFile);
 $bad = explode("\n", $data);

// Used for debugging only. Uncomment to show all IPs captured in unsorted order
 //print_r($bad);

// Get the visitor IP

 $ip = GetIP();
 
// Are they a bot? Has it been here before?
// If it has, just kill the page.

if (in_array($ip, $bad)) {

// In case the bot is acting from cached page, clear form submitted data first

$keys = array();

foreach($GLOBALS as $k => $v){
$keys[] = $k;
}

for($t=1;$keys[$t];$t++){
unset($$keys[$t]);
}
unset($k); unset($v); unset($t);

 unset($_POST);
unset($_GET);
unset($_REQUEST);

 die("Spam Bot Behaviour Detected and Blocked");

 } else {


$p = 0;

if(isset($_POST['email']) && ($_POST['email']) !==''){
 $p++;
}

if(isset($_POST['contact']) && ($_POST['contact']) !==''){
 $p++;
}

if(isset($_POST['comment']) && ($_POST['comment']) !==''){
 $p++;
}

if($p !==0){

// if it's a new bot, write the IP to your data file and clear form data, kill page

 $fp = fopen($datFile, 'a');
 fwrite($fp, $ip."\n");
 fclose($fp);

$keys = array();

foreach($GLOBALS as $k => $v){
$keys[] = $k;
}

for($t=1;$keys[$t];$t++){
unset($$keys[$t]);
}
unset($k); unset($v); unset($t);

 unset($_POST);
unset($_GET);
unset($_REQUEST);

 die("Spam Bot Behaviour Detected and Blocked");
}


}



// HTACCESS USEAGE EXAMPLE:

// To view all IPs formatted for htaccess in sorted order
// useage: http://www.yourwebpage.com/index.php?showbad=true

// ** Data will appear at the top of the page outside of your css.
// A bit crude but.....

 if(isset($_REQUEST['showbad']) && ($_REQUEST['showbad']) =='true'){
 natsort($bad);
 echo "<pre>\n";
 echo '#badIP\'s Last Updated: '.date(DATE_RFC2822)."\n\n";
 echo 'order allow,deny'."\n";
 echo 'allow from all '."\n";
 foreach($bad as $badIP){
 if($badIP !==''){
 echo "deny from ". $badIP ."\n";
 }
 }
 echo "\n".'#badIPs Last Updated: '.date(DATE_RFC2822)."\n\n";
 echo "</pre>\n";
 }



function GetIP()
{
 if (getenv("HTTP_CLIENT_IP") && strcasecmp(getenv("HTTP_CLIENT_IP"), "unknown"))
 $ip = getenv("HTTP_CLIENT_IP");
 else if (getenv("HTTP_X_FORWARDED_FOR") && strcasecmp(getenv("HTTP_X_FORWARDED_FOR"), "unknown"))
 $ip = getenv("HTTP_X_FORWARDED_FOR");
 else if (getenv("REMOTE_ADDR") && strcasecmp(getenv("REMOTE_ADDR"), "unknown"))
 $ip = getenv("REMOTE_ADDR");
 else if (isset($_SERVER['REMOTE_ADDR']) && $_SERVER['REMOTE_ADDR'] && strcasecmp($_SERVER['REMOTE_ADDR'], "unknown"))
 $ip = $_SERVER['REMOTE_ADDR'];
 else
 $ip = "unknown";
 return($ip);
}
?>