Last Sunday, the author noticed unusual bot activity causing 404 errors on their server related to a commented-out JavaScript file. This file was never deployed, but various user agents, including known malicious ones like python-httpx and Go-http-client, were requesting it. The robots.txt file explicitly forbids crawling, yet these bots, along with some pretending to be legitimate browsers, ignored the rules. The author suspects these scrapers are either naively parsing HTML comments or deliberately extracting URLs from them to collect content for training large language models (LLMs). The author distinguishes between easily detectable bot behaviors and fundamental ones. For instance, some bots may have typos in their user-agent strings, which a savvy developer could exploit. However, behaviors that involve scanning for sensitive resources, like exposed backups or credentials, fall into a more serious category. The author warns that sharing knowledge about such fundamental behaviors can effectively reduce the bots' efficiency. They have implemented measures to detect requests for scripts referenced only in comments across their sites, aiming to warn others about this tactic. Blocking abusive IPs using tools like fail2ban can be effective. The author emphasizes the importance of configuring the duration of these blocks to prevent attackers from easily bypassing them. They also touch on the existence of botnets that can switch IPs when one gets blocked, suggesting that understanding their operation can lead to future strategies. The article hints at counter-offensive tactics like using zip bombs to disrupt attackers, though this method requires computational resources and may not be practical for everyone. Overall, the author advocates for vigilance and proactive measures against malicious bot behavior.