Blocking Wordpress comment spammers by User-Agent

I have been plagued with automated comment spam lately, it is still at a level where its managable manually but..... I am lazy.

The comment message itself is nearly always along the lines of:

Excellent! I enjoyed reading your material. think that will make relief: http://www.av.com ,
<a href="http://www.adobe.com" rel="nofollow">substances that cure you</a> ,
<a href="http://www.apple.com" rel="nofollow">my parents didnt told me about it</a>

It would appear to be more of a test message, blogs that accept the comment will probably be hammered with real spam at a later date.

I use ModSecurity on my server and wondered if there was an easy way to filter out these requests before they even reach Wordpress. I dug out my access_logs looking for the offending requests. The programs being used to post the comment spam appear to be quiet simplistic, posting directly to "wp-comments-post.php"

blog.lobstertechnology.com 209.200.xxx.xxx - - [16/Oct/2005:04:36:20 +0100]
   "POST /wp-comments-post.php HTTP/1.1" 302 5
   "http://blog.lobstertechnology.com/wp-comments-post.php"
   "Jakarta Commons-HttpClient/3.0-rc3"

blog.lobstertechnology.com 207.195.xxx.xxx - - [12/Nov/2005:09:57:15 +0000]
   "POST /wp-comments-post.php HTTP/1.1" 302 5
   "-"
   "Mozilla/4.78 (TuringOS; Turing Machine; 0.0)"

Others are a little more sophisitcated and at least bother to change the default User-Agent:

blog.lobstertechnology.com 209.200.xxx.xxx - - [09/Nov/2005:12:24:23 +0000]
   "POST /wp-comments-post.php HTTP/1.1" 302 5
   "http://blog.lobstertechnology.com/wp-comments-post.php"
   "Mozilla/4.0"

I crafted a very simple ModSecurity filter to catch these, although it is a little crude, it will only trigger when the listed User-Agents send a request to "/wp-comments-post.php". Adjust as required:

<ifmodule mod_security.c>

   # Turn the filtering engine On or Off
   SecFilterEngine On

   ...

   # proof of concept Wordpress User-Agent filter
   <location /wp-comments-post.php>
      SecFilterSelective HTTP_USER_AGENT "HttpClient"
      SecFilterSelective HTTP_USER_AGENT "Java"
      SecFilterSelective HTTP_USER_AGENT "TuringOS"
   </location>

</ifmodule>

Related Links
ModSecurity - http://www.modsecurity.org/