Block access to wp-comments.php

Action
and
Expression Preview
(http.request.uri.path eq "/wp-comments-post.php" and http.request.method eq "POST" and not http.referer contains "yoursite.com")
Field
URI Path
Operator
equals
Tag
securityagressive
Value
/wp-comments-post.php