It's better to drop the connection without sending any packet back. Due to a bug in Friendly-Scanner it sometimes keeps trying to register with the same username again and again, in a bad case resulting in a lot of datatraffic to opensips.
I use this rule in default route:
xlog("L_ERROR","Auth error for $fU@$fd from $si cause -1 REGISTER username (friendly-scanner)");
Also log other failures (username or password) and use fail2ban to drop the ip entirly with iptables.