[_cenw]

The correct status code for that is 400, the generic "something you did is wrong" or 403, the generic "go away".

[afavour]

Sure but I imagine you’d want to track real 400 errors (e.g. your POST request contains the wrong parameters) in analytics to ensure you haven’t introduced a bug in your code. Categorising bot repellant responses along with that would likely be very noisy.

Again I’m not really defending the practise, I think it’s bad, I can just clearly see how they ended up where they ended up.

[0xffff2]

Isn't that what 40x errors are for? E.g. I think there's 408 Bad Request for your POST example.