dstiles - 9:25 pm on Feb 6, 2012 (gmt 0)
I think the official length of a UA is 127 bytes but a LOT of browsers, especially MSIE, exceed that. Often they include sub-strings of the original UA (eg "mozilla...6.0..." is inserted into the new UA of, eg, MSIE 7). This, as far as I can tell, is due in part to faulty MS updates (or faulty machines) and in part to GTB install/updates.
I find it far more reliable to use prescence/absence of various headers in conjunction with known bad and suspect UAs and other things. I also check for certain characters in the UA and block on those - this catches things like "vlc/1.1.6" and "2".
Opera 9 is obsolete, although I still allow it at the moment, depending on other things. My Ubuntu copy is version 11.61. Most versions below 10, I would have thought, could be discarded UNLESS it's coming from a mobile: some of those are weird. Same with Firefox up to a point: 3.6 is still "official" in some linux installations but we're now up to 10 (6 numbers in under a year!) - for what seem to be some very stupid reasons. MSIE 6 and below can be rejected unless you think some of your punters really are dumb enough to be using MSIE 6 a couple of years after MS discontinued support for it.
Webcollage is sort of legit. Some Linux machines use it as default browser "wallpaper" or something like that. I've been blocking it for years and it's one reason why my favicons are not in the web roots.
Samizdata: come at me with anything other than a real browser (or reasonable approximation thereof) and you die! :)
I do check for lengths of querystrings. Anything over a reasonable length (on sites that accept QS) and it's IP-killed: it's almost always a SQL injection attempt or similar.