incrediBILL - 4:13 pm on Mar 7, 2012 (gmt 0)
I'm going to recant my earlier statement. What I thought was the magic bullet turned out to be some web hosting company modifying HTTP headers sent by browsers under the premise of it being required for FastCGI running PHP, which was total nonsense.
In other words, my data set was tainted.
Some things I found still work but are more site specific, not a panacea, nothing just anyone could use to block all the traffic.
Best I can tell from several samples these are either real browsers being used or really good fakery. The only real solution to the problem may be to build a list of the IPs involved in the attack, gathered from multiple sites, and see if they are using any IPs in common and build a block list of all repeat offenders.