DEV Community

Cover image for Building a User-Agent Risk Scorer: Rule Engine + Threat Intel + Community Voting
Arun Krishna
Arun Krishna

Posted on

Building a User-Agent Risk Scorer: Rule Engine + Threat Intel + Community Voting

User-Agent strings are messy, spoofable, and technically "on their way out"
with Client Hints — but in practice, almost every bot, scraper, and piece of
malware still sends one, and most of them get it wrong in predictable ways.
I built UAIntel to catch those mistakes and score
any UA string 0–100 for risk. Here's how it's structured.

Layer 1: Rule Engine

The first pass is pure pattern matching, no external data needed:

  • Impossible OS/browser combos — e.g. a UA claiming to be Safari on Windows, which doesn't exist in the real world
  • Version inconsistencies — internal tokens that don't match each other (e.g. a Chrome version number that doesn't line up with its WebKit build)
  • Automation signatures — Selenium, Puppeteer, HeadlessChrome, and similar framework fingerprints
  • Raw HTTP libraries — curl, python-requests, Go-http-client — not browsers at all, but common in scraping traffic

This layer is fast (no lookups) and catches the most obvious cases.

Layer 2: Threat-Intel Database Lookups

The second layer cross-references the UA against bundled threat feeds:

  • Nginx/Apache bad-bot blocklists
  • SecLists' UA database
  • mthcht's malware UA intelligence
  • Matomo's device detector bot list

These feeds refresh weekly via a Cloudflare Workers cron trigger, so the
in-memory dataset stays current without a manual redeploy.

Layer 3: Community Voting

Some UAs are ambiguous even after the first two layers — this is where
community reports come in. Anyone can flag a UA as malicious, bot, or
benign, and that feedback factors into the score for future lookups of
the same string. It's a small signal on its own, but compounds over time
as more people use the tool.

What's Next

I'm actively looking for edge cases it gets wrong — false positives on
legitimate automation, or malware/scrapers it's not catching yet. If you
work with logs, WAFs, or bot mitigation and have interesting UA strings
lying around, I'd genuinely appreciate you running them through it:

👉 uaintel.tech — free, no signup.

Happy to answer questions in the comments.

Top comments (0)