When a RegEx attribute is used to start a UA string

I don't see why. All you have to say in return is
^\W
or, if that's too all-encompassing,
^\$

:: detour to refresh memory ::

Yup. Even on, my new, shorter bad_agent list, I still have ^\W along with ^-?$ just to cover all bases.

:: wandering off to TextWrangler to check how often they even occur (other than absent UA string, which comes through in logs as - hyphen) ::

The most common is
\"Mozilla
[sic, with matching \" at the far end] which I have to say bespeaks stupidity on the part of the bot-runner. It's the robotic equivalent of "I comma insert your name here comma" et cetera.

Also the occasional opening () which walks off with a handy 418 so I don't even need to think about it. (I don't save error logs, so I don't know if () by itself was the mod_security pattern.)

Well I did say "attempting..." but now that you've spilled the beans they will probably change their UA accordingly.


(joking)

AFAIK \"Mozilla is a bookmark link validator and not a bot. I see it seldom but have always allowed it without issue.

I don't think this is a bookmark link validator.
195.211.155.ddd - - [13/Feb/2015:23:37:02 -0800] "GET /xmlrpc.php HTTP/1.1" 403 3301 "http://example.com/xmlrpc.php" "\"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0\""

or this
93.115.84.ddd - - [20/Feb/2015:21:39:17 -0800] "GET /customer/account/login HTTP/1.1" 403 3357 "http://example.com/customer/account/login" "\"Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Firefox/24.0\""

or this
5.63.146.ddd - - [24/Jan/2015:17:46:56 -0800] "GET /admin/ HTTP/1.1" 403 3357 "http://example.com/admin/" "\"Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Firefox/24.0\""

(Hm. I think autoreferer must be part of the bot script.) There were lots more; I just grabbed the first three.

I think I've been told at least twice what xmlrpc.php is, but it won't stick :(

Well that's a different UA. I just meant the "\"Mozilla part.

Pretty sure I ID'd that one last year about the same time as the xmlrpc.php exploit.

Here's the exploit report:
[webmasterworld.com...]

Still think the first part of the UA is a bookmark updater, so possibly it is being included as part of a UA spoof in this bot of yours, but who knows?

IMO once these exploit scripts prove to be sucessful, they get repackaged, sold and resold. Parts of one become parts of another.

Ah, that's what it was. So basically it's another way of saying "Psst, hey you, website, got any WordPress files I can attack?" One of those times when returning a manual 404 may be the most effective response, if you can bring yourself to do it.

$UA

Perhaps they've intended to set a UA with the variable $UA, and just failed to code correctly and passed it as a string? I see a few user-agents where this happens.

Hadn't thought of that, thanks.