"blank user-agent" [google.com]

I apply an additional header test to these types of fetches. I've seen the satellite providers occasionally using blank UA and referrer when fetching/caching images. The other header test catches things like you posted 99.99% of the time and lets the legit cache fetches through.

Do you want to block search spiders, or just the ones that don't provide a moniker?

A cookie check will trap most spiders... write a cookie onLoad and then try to read it... if no cookie then redirect. Lack of JavaScript can have the same effect... using a NoScript statement that includes a redirect.

Lotsa humans around here block cookies and/or javascript by default. Higher level of knowledge and/or higher level of paranoia than the average user in the street.

Must be paranoia and ignorance. Flash and video usually uses JavaScript to detect browser. No browser detection you don't see the show. Nor do you see page layout optimised for screen or windows size.

It doesn't matter what the reason the user has, if you block users because they do not enable cookies you're doing yourself a disservice. About 10% of users do not enable cookies.

Kendo - cookies are no guarantee. The technique may work with "real" bots but a LOT of scrapers maintain cookies - which is especially useful for dealing with IP-hoppers. :)

In addition I (for example) refuse cookies on most sites I visit. Ditto JS. As for Flash - I almost never view that either.

There is also a UK law now that says that web sites must offer an option to not accept cookies. This is very badly thought out (eg no mention of how US etc sites can be trapped) but it's bureaucrats so you can't really expect much logical thought on the matter. Nevertheless, a few web sites in the UK will implement either an option or dump cookies completely where they are of little use.