Some research gave the following:

Change the obj.conf file in the config directory of the web server instance (i.e. not the admin-server config directory) and add the "If" below.

<Object name="default">
<If $method = "TRACE" or $method = "OPTIONS">
AuthTrans fn="set-variable" error="501"
</If>
AuthTrans fn="match-browser" browser="*MSIE*" ssl-unclean-shutdown="true"
NameTrans fn="ntrans-j2ee" name="j2ee"

This tells the server to respond to such requests with a 501 error.

The actual response is:

HTTP/1.1 501 Not Implemented
Server: Sun-Java-System-Web-Server/7.0
Date: Mon, 22 Feb 2010 20:04:21 GMT
Content-length: 148 Content-type:
text/html Connection: close

Not Implemented

Not Implemented

This server does not implement the requested method.

While it is mostly in use by bots and other crawlers, why not block bots the regular way, by adding/changing the robots.txt file (for the "law-obeying" bots) or by changing your .htaccess file to block the criminals. This site is one of many describing these procedures.

Update: If I were to write a malicious bot today, I'd use http/1.1, just to throw off people blocking 1.0 :).

Second, there may be some legacy browsers that may still use 1.0 (AFAIK all recent browsers use 1.1). These may also include accessibility-type browsers (like Lynx, or blind-support browsers) or browsers on phones/devices that cannot be updated (i.e. my Nokia 6310's browser uses 1.0 - luckily I've switched to a Blackberry). Blocking 1.0 might lose you that type of traffic.

But here's the real easy solution: monitor your logs for a while. If you don't see a lot of 1.0 requests - block it, safely assuming you won't lose too much traffic.