Nice post! I'm kinda curious about the "badness score", what metrics have you found to be the most effective? Geolocation, browser, screen resolution? Something else entirely?
Thanks! Adding the origin of the request to the mix was the most interesting step. Browser fingerprinting itself is not terribly useful, but when you combine the geolocation with browser info like locale and timezone some users start to look more suspicious. Of course there are legit reasons for mismatches there, so blocked requests need to have multiple "suspicious" characteristics. I also keep track of some VPN provider IP ranges to group requests that can not be grouped through geoip data.