I got some click-bombing attacks on my site and the bots that made the attacks have this user agent: “-” . I also have heard that empty user agent as well may be a bad boot. But I am not sure will denying access to visitors with empty user agent may as well block some legitimate users.
So I use this rewrite condition to block both users with blank and “-” user agent:
The {HTTP_USER_AGENT} is notoriously unreliable but few legitimate users would even think to modify it so, if you’re having problems with blank or “-” as a user agent, go ahead and block. However, I’d change your start anchor only to .? (anything) to guarantee a match.