I had a similar problem a few years ago when I was using session tokens embedded in the URL. Due to the nature of the site the token related to versioned session data hence the token could branch.

This acted as a wonderful spider trap as the URL were always different if it tried to retrack its steps and use another path that it had already tested.

Got round this in the end by analysing the speed at which sessions were being updated and using that as a bot detector.

Generally it is only impolite bots that are an issue. One request a minute is Ok but 50 a sec is not. If you can't do it on a session basis you might want to look at apache throttling. This is not ideal as you my well end up throttling everyone not just the bots.

Trouble is a bot can use rotating IPs, disguised/changing user agents or anon-proxy servers to hide what it is.

UnderMine
OS History - Operating system history