How do I modify Apache mod_security to accept incoming IPN requests?
Per RFC 2616 Section 14.43, the User-Agent header is a recommended, but not required, header for HTTP/1.1 communication requests. Because request header spoofing is trivial, it shouldn't be relied upon as part of a security validator.
To permit incoming IPN requests from notify.paypal.com, which doesn't supply the User-Agent header, change the mod_security config to accept all connections from *.paypal.com. To do so, add something similar to the following line before the line denying empty User-Agent headers:
SecRule REMOTE_HOST "\.paypal\.com$" "allow,log,logdata:'Permitting incoming connection from PayPal'"
This will permit incoming connections from the paypal.com domain, while allowing you to deny other connections that don't supply the User-Agent header.