Do you have any evidence that the "visitor" is in fact human? In my case, blocked humans go on to request: two stylesheets, navigation image, favicon and piwik. Blocked robots--who, of course, represent at least 99% of all 403s--don't. And then I can take a closer look at headers to determine if they were unintentionally blocked. (Most turn out to have commmitted some other offense, such as being from the wrong country.)

I have a more comprehensive

BrowserMatch ^\W bad_agent

as part of a long bad_agent list that ends up getting blocked along with all the other environmental variables.

That UA is one of the most faked. I see it sometimes, with but mostly without, quotes usually from AWS.

I have not seen what I believe is the authentic (human) UA with quotes from ISPs (yet.)

The IPs are broadband/cable/mobile. I've only had time to look at two cases in any detail but it looks as though icon-fetching is ok but a page fetch is sometimes incorrect. There would be no css because the page is blocked before that could happen. The trap does not mitigate against icons.

In some cases I notice, from my "trap" logs, that there is sometimes one incorrect hit only, sometimes more than one incorrect and sometimes an incorrect one followed by a correct one. This suggests either someone is fixing the problem (although the timing on that is suspect) or that it is auto-correcting - which suggests a bot but the other behaviour is against that hypothesis.

The following took place in about 15 seconds (log lines abbreviated for clarity):

/apple-touch-icon-precomposed.png 62.232.xx.xxx Safari/13604.4.7.1.3+CFNetwork
/apple-touch-icon.png 62.232.xx.xxx Safari/13604.4.7.1.3+CFNetwork
/favicon.ico 62.232.xx.xxx Safari/13604.4.7.1.3+CFNetwork
/ 62.232.xx.xxx "Mozilla/5.0+(iPhone;
/apple-touch-icon-precomposed.png 62.232.xx.xxx Safari/13604.4.7.1.3+CFNetwork
/apple-touch-icon.png 62.232.xx.xxx Safari/13604.4.7.1.3+CFNetwork
/favicon.ico 62.232.xx.xxx Safari/13604.4.7.1.3+CFNetwork
/apple-touch-icon-precomposed.png 62.232.xx.xxx Safari/13604.4.7.1.3+CFNetwork
/apple-touch-icon.png 62.232.xx.xxx Safari/13604.4.7.1.3+CFNetwork
/favicon.ico 62.232.xx.xxx Safari/13604.4.7.1.3+CFNetwork

The following took place in about 4 seconds. Note that the first few times a page has a correct UA (so is served but no css so probably not loaded by the device). In reality it was blocked due to an earlier attempt, which suggest the quote is a default UA:

/list.asp 95.90.xxx.xx Mozilla/5.0+(Macintosh;
/apple-touch-icon-precomposed.png 95.90.xxx.xx Safari/13604.4.7.1.3+CFNetwork
/ 95.90.xxx.xx Safari/13604.4.7.1.3+CFNetwork
/apple-touch-icon.png 95.90.xxx.xx Safari/13604.4.7.1.3+CFNetwork
/ 95.90.xxx.xx Safari/13604.4.7.1.3+CFNetwork
/favicon.ico 95.90.xxx.xx Safari/13604.4.7.1.3+CFNetwork
/apple-touch-icon-precomposed.png 95.90.xxx.xx Safari/13604.4.7.1.3+CFNetwork
/ 95.90.xxx.xx Safari/13604.4.7.1.3+CFNetwork
/ 95.90.xxx.xx Safari/13604.4.7.1.3+CFNetwork
/favicon.ico 95.90.xxx.xx Safari/13604.4.7.1.3+CFNetwork
/list.asp 95.90.xxx.xx "Mozilla/5.0+(iPhone;
/ 95.90.xxx.xx Safari/13604.4.7.1.3+CFNetwork
/ 95.90.xxx.xx Safari/13604.4.7.1.3+CFNetwork
/favicon.ico 95.90.xxx.xx Safari/13604.4.7.1.3+CFNetwork
/ 95.90.xxx.xx Safari/13604.4.7.1.3+CFNetwork
/ 95.90.xxx.xx Safari/13604.4.7.1.3+CFNetwork
/favicon.ico 95.90.xxx.xx Safari/13604.4.7.1.3+CFNetwork

I'm still getting a lot of these hits. It has occurred to me the cause may be a dumb bookmark app.

I'm fairly certain it's human and it only seems to be from iphones.