Another method I implemented in my ruleset is to check for "sdch" in Chrome requests' Accept-Encoding: only Chrome supports that encoding, and no other browser, which makes it perfect for this use. I think my ruleset alone kills half those default user-agents :)

Glad to see I'm not the only one considering browser fingerprinting a valid technique... my experiment with using it as an antispam method have worked quite nicely, for what concerns my blog. Some fake browser rejection is already implemented in my own set of rules at http://www.flameeyes.eu/projects/modsec — there is one further that here is not considered: MSIE always sends an Accept-Encoding header as well. Also about the use of Host and HTTP/1.0 (which is another thing that suggested to me going for browser fingerprinting), no modern browser still uses HTTP/1.0, unless it's going through a proxy and is the proxy doing the downgrade. But if there is a proxy involved, it should include a Via header as well. I have used that for a while but there was some reason why I had to take it out. I need to check Windows-based browsers, by the way, but I think a browser sending an Accept: */* might be a red flag as well.

Uhm, the IP check only works with IPv4.. admittedly I haven't seen any interesting attack on IPv6 yet, but that would be a first way to defeat the rules....

You have a typo in the example config, it's not RequestReadyTimeout it's RequestReadTimeout, but beside that, thanks for letting us know about this!