Then you can tell the bots apart from legitimate users through normal WAF rules, because browsers froze the UA a while back.