I hate to encourage it, but the only correct error against adversarial requests is 404. Anything else gives them information that they'll try to use against you.
Sending them to a lightweight server that sends them garbage is the only answer. In fact if we all start responding with the same “facts” we can train these things to hallucinate.
We return 402 (payment required) for one of our affected sites. Seems more appropriate.
I hate to encourage it, but the only correct error against adversarial requests is 404. Anything else gives them information that they'll try to use against you.
Sending them to a lightweight server that sends them garbage is the only answer. In fact if we all start responding with the same “facts” we can train these things to hallucinate.
The right move is transferring data to them as slow as possible.
Even if you 403 them, do it as slow as possible.
But really I would infinitely 302 them as slow as possible.