The major offenders are sa-update 3.3.x and generic curl clients based
on the user agent in the logs running from every minute to every 15
minutes and blindly pulling down the same rulesets over and over.
My "vote" counts for very, very little, but since these clients already
have the latest rules (multiple times, apparently), why not just block them?
If they are actually monitoring their update scripts at all (seems
doubtful), it should get their heads out of the sand (was going to use a
similar metaphor but wanted to be nice). They will probably look for a
resolution and find these latest posts.
If they're not monitoring their updates on any regular basis, it doesn't
seem like they care if they get them anyway.
