My understanding is that any bot that is not in the ACP list is identified as a guest within the "who is online" page.
That is correct. Guests can be one of three "things" -- true guests, registered users who don't get logged in automatically and bots that aren't listed in the ACP. The last can be good bots (search bots, validation tools, etc.) or bad bots (E-mail scrapers, spam bots, etc.).
So, if it's an unidentified bot, how do I determine what it is? for example does xRumer leave any tell tale signs that can be identified by phpBB?
The best way is the User Agent. Of course, spam bots don't generally want you know who they are, so most will try to use generic browser User Agents. (I say "most" because i do have some "bad" bots listed in manage_bots
by User Agent, including at least one that's supposed to be Xrumer.)
If you can't rely on the User Agent, the only other thing is the IP address. However, while good bots may publish the IP addresses they may visit from, spam bots want to disguise that. To hide their slimy identities, they use proxies or, worse, zombie machines belonging to innocent users. So blocking their IP addresses (even if in the U.S. or wherever you are), may block a potentially valid user who got infected.
So there's a risk/reward trade-off in IP address blocking. My philosophy is to block as little as you can, so instead of blocking 192.168.1.*, maybe block 192.168.1.16-31.
At this point it's just annoyances, seeing 10 instances of 360spider on the forum doesn't make me feel comfortable. I have just started to play with blocking their IPs, but I would guess that they are much smarter than I am and this will be a futile game.
As Robert said, I wouldn't worry about it unless it starts impacting your site. If your site seems to be running slowly or you hit a bandwidth cap, then do something. Otherwise, it's more or less the cost of doing business on the Web.