If you want to take it to the next level, embed it as a microdot (single pixel) link somewhere on a side page, and use css to make it display:none;visibility:hidden;margin:-9999px; so that no human could possibly click on it.
Because of robots.txt, no bot should touch that link. And because it's off the page and hidden, no human either. But you'll be amazed how much it's hit.
But a warning: the problem with today's browsers is prefetching. You'd have to make sure you disallow it for prefetching too or you'll trap innocent humans using hyperactive browsers.
This technique also will catch mass downloading plugins where they are saving your entire website from a browser plugin - but they can die too in my book.
If you want to be nice, write the banlist to a file you clear out ever hour via cron or with a time check.
Technically, not listing this is correct. The three robot laws are imprinted upon their brains, and through the magic of sci-fi handwavium, robots can not exist at all without these three laws. The "Zeroth" law, however, was derived by the robots themselves and is not imprinted upon their brains. Indeed, one of their big challenges was to work themselves into a position where they could save humanity even if it meant actively killing an individual human, honoring the implicit law over the explicit one. (This conflict ultimately killed Giskard.) It is more correct not to list this law in a robots.txt than to list it.
Where that is a script that instantly bans the IP on the server.
You'd be amazed how many bad bots hit it.