Something as simple as requiring a "user
agent" string might be
enough?
No, see below..
A misbehaving application will come in through many ip
numbers.
And a forged user agent will be easy to bounce through Tor +
privoxy or similar mechanisms to "anonymize" the requests. You can't
block all of the IPs (well, you could block the Tor nodes in that
case, but someone will find dozens of ways around that too, by
chaining proxies together).
David A. Desrosiers
desrod(a)gnu-designs.com
http://gnu-designs.com