Add the following to your .htaccess file to block posts to wp-comment-posts.php and wp-login.php that have do not have an http referrer or user agent. This will also redirect the user back to their IP address.

<IfModule mod_rewrite.c> 
    RewriteEngine On 
    RewriteCond %{REQUEST_METHOD} POST 
    RewriteCond %{REQUEST_URI} .(wp-comments-post|wp-login)\.php* 
    RewriteCond %{HTTP_REFERER} !.*domain.name.* [OR] 
    RewriteCond %{HTTP_USER_AGENT} ^$ RewriteRule (.*) http://%{REMOTE_ADDR}/$ [R=301,L] 
</ifModule>

Replace domain.name with your domain name (sans www subdomain).

Source: Deny Access to No Referrer Requests