My blog was seriously messed up by a libwww bot last week so I have also implemented similar .htaccess rules.
Two of my favorite 403 – Forbidden alternatives are:
402 – Payment required 😉
and a 301 – Permanent Redirect to their own hostname / remote IP with their maliciously crafted exploit URL untouched!
I am currently testing a few additional regexps to block more malicious bots by detecting remote inclusion attempt strings/patterns in the requested URLs but it needs more testing before publishing it.