David, first thing is always look at the IP where the bot came from.
If you google “Whois 10.168.1.23″ then the first result is this page:
http://ip.domaintasks.com/10.168.1.22
you can see that 10.168.1.22 is a private IP and not a valid IP where a valid bot would come from.
IMHO BPS is working without any flaw here – you will see lots of such entries where the user agent string looks valid but this is what the bad guys always do – make those request look as valid as possible.
Just check the IPs with a whois lookup and you see if it is valid or not. My 2 cents.