I've setup my $htsrv_url to an absolute URL, starting with https:

$htsrv_url = str_replace( 'http://', 'https://', $htsrv_url );

(I've put it in /conf/_overrides_TEST.php, but you might want to change it just in /conf/_advanced.php).

The result:

POST /skins/blueyed/https://www.hahler.de/htsrv/comment_post.php HTTP/1.1" 404 422

They seem to get confused by the HTTPS link in the comment form's action (where the comment should get send to) and append it to the URL given in the skin's <base> URL.

Of course, using SSL/HTTPS needs a server certificate, but it could be that your server is already setup to accept HTTPS urls and maps it to the same files.
Just try, if you can login to your blog through https://example.com/admin/ - it's a good idea anyway to use SSL for $admin_url also.

It seems, that all spammers (or nearly all) do it like that, while coming from different IPs and sending different user agents! Which indicates that they use the same tool, or at least tools with the same bug. I could also imagine that their tools just cannot handle SSL at all.

Hope that helps. At least, until they catch up.