In my book, none of legitimate UAs have unbalanced ()`s, or a none presence of them at all, never mind the . somewhere in-between...
!(.) = Block

:)?

Where do you see a mismatched () ? (Eeuw. I think this came up once and I had to work up a RegEx to catch the pattern. I kinda think in the end it wouldn't be worth the trouble. I mean for the server on each request-- especially if in .htaccess where the RegEx has to be re-compiled each time-- not for the human one time.)

facebook's assorted UAs tend to be wholly parenthesis-less. But I guess that depends on your definition of "legitimate".

!(.)

What is this intended to mean? Something's got to be escaped somewhere.

The 43.254.blahblah was a response to the post in SSID. Someone with that particular UA must have been going the rounds a few days ago.

:: wandering off to re-read deathless "bingbot in rocking chair" thread which I blundered across while looking for something else ::

Where do you see a mismatched () ?

Not in that UA, it is a general rule on my sites, no parenthesis or mismatched ones = a boot.
I don't do much of blocking in .htaccess, but in the site`s code itself most of the time.

That particular request failed several header checking rules before it even got to UA inspection:

IP:43.254.29.cnn

accept: */* 
user-agent: Mozilla-1.1 
X-Newrelic-Id: VlkjsahfKHFAwFY 
Accept-Encoding: plain, gzip, deflate 
X-Newrelic-Transaction: JKHDFKJSHDKFKJHSKDFKJSJHDKFJSDHlksjdfKJFDSF= 
host: domain.tld
content-length: 0

Short headers(not enough headers for a proper transaction request), missing proper headers, presence of none standard headers, invalid domain root request, not from a known Allowed SE IP Range, Not from allowed Country IP Range, ...etc, etc, that is before we get to UA inspection.

and more on perps header :http://stackoverflow.com/questions/18924327/http-header-x-newrelic-id-what-is-it
....
(.) is not a part of any regexp, emoji sort of, if I may :)

That particular request failed several header checking rules

Same here. Or at least one rule, and that's enough. I didn't bother to look it up; something about the request got it the 403 it deserved :)

What other oddly written (fake) Mozilla UAs have been seen?

This is likely just a poor cut'n paste fake:

\"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0\"

This is in addition to the quotes created in the server log. Was looking for the /xmlrpc.php exploit.

Caught me one from 158.85.184.96/27( RegDate: 2016-05-23 ) the other day.

Mozilla

That was it.

@blend27

Mozilla (by itself, or with a build number, and/or with "compatible" but no other UA attributes) is most often used as default for hundreds of scraping software. I block it.

Years ago it was used by military ranges, gov't agencies & school libraries, but nowadays there is no legit use IMO.

None of these are valid browser UAs:
Mozilla
Mozilla/4.0
Mozilla/5.0
Mozilla/4.0 (compatible;)
Mozilla/5.0 (compatible;)

[edited by: keyplyr at 4:39 am (utc) on Aug 10, 2016]

=Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16

Host: grandwebsolutions.com (IT & business hosting)
205.237.88.0 - 205.237.95.255
205.237.88.0/21

BrowserMatch ^\W bad_agent

Deny from env=bad_agent

It was blocked by other existing filters, but thanks for the alternative.

Oh, I like this one:

Mozilla/5.0+(compatible;+MSIE+or+Firefox+mutant;)+Daum+4.1

UA: Mozilla/5 (Solaris 10) Gecko
Host: ovh.net
91.121.0.0 - 91.121.255.255
91.121.0.0/16

Mozilla/1.22+(compatible;+MSIE+10.0;+Windows+3.1)

bayarea.net
209.128.119.0 - 209.128.119.255
209.128.119.0/24

Awesome!

[edited by: keyplyr at 10:49 pm (utc) on Aug 20, 2016]
[edit reason] Please use range, not specific IP addresses [/edit]

Bayarea is actually: 209.128.64.0 - 209.128.127.255 (209.128.64.0/18)

As a side note/theory: years ago there were rouge bots with UA=kjasgfjhsgajfhsgafjhasgfjgfs, well no "Mozilla", but relevant in the op·po·site way.

They used to hit hard. I have just caught two distinct ones after several years of being "quiet".

[a-zA-Z]+ did it.

Are they waking UP? Hope not....

:)

This is a good read about the History of the User Agent String [webaim.org]

ref. spammer from UA.

cbl.abuseat.org - FAIL!
xbl.spamhaus.org - FAIL!
zen.spamhaus.org - FAIL!

Mozilla/3.0 (compatible; MSIE7.00; Windows 2004)