Something as simple as requiring a "user agent" string might be enough?
No, see below..
A misbehaving application will come in through many ip numbers.
And a forged user agent will be easy to bounce through Tor + privoxy or similar mechanisms to "anonymize" the requests. You can't block all of the IPs (well, you could block the Tor nodes in that case, but someone will find dozens of ways around that too, by chaining proxies together).
David A. Desrosiers desrod@gnu-designs.com http://gnu-designs.com