function testPost(ISblamPost $p) { if (!$this->checksum) { return; } $res = $this->db->query(sprintf("/*maxtime5*/SELECT count,ip FROM dupes WHERE checksum = UNHEX('%s') LIMIT 1", $this->checksum)); if ($res) { $res = $res->fetchAll(); } else { return NULL; } if (count($res)) { $res = $res[0]; $allowed = 2; // double-posting? if (false !== strpos($p->getPath(), 'editpost')) { $allowed++; } $score = ($res['count'] - $allowed) / 15; $cert = self::CERTAINITY_LOW; if ($res['count'] > 35) { $score += 2; $cert = self::CERTAINITY_HIGH; } elseif ($res['count'] > 20) { $score += 0.8; $cert = self::CERTAINITY_HIGH; } elseif ($res['count'] > 10) { $score += 0.4; $cert = self::CERTAINITY_HIGH; } elseif ($res['count'] > 5) { $score += 0.2; $cert = self::CERTAINITY_NORMAL; } $ip = long2ip($res['ip']); if ($ip != $p->getAuthorIP()) { $score = ($score + 0.3) * 1.2; } // different IP? botnet! if ($this->length > 250) { $score = ($score + 0.1) * 1.5; } // less likely to accidentally dupe if ($score > 0.1) { $score = min($score, 2) + min($score / 5, 4); return array($score, $cert, "Duplicate (x" . round($res['count']) . " = " . round($score, 1) . ")"); } } }
function testPost(ISblamPost $p) { $h = $p->getHeaders(); if (!$h || count($h) < 2) { return NULL; } // HTTP_HOST is hardcoded! :/// $out = array(); if (!empty($h['HTTP_MOD_SECURITY_MESSAGE'])) { $out[] = array(1, self::CERTAINITY_HIGH, "mod_security warning"); } // Buggy .Net always adds header which is only needed for large forms (and browsers tend not to use it) if (!empty($h["HTTP_EXPECT"]) && false !== strpos($h['HTTP_EXPECT'], '100-') && strlen($p->getRawContent()) < 5000) { $out[] = array(0.3, self::CERTAINITY_NORMAL, "100-expect .Net header"); } // Bots tend to send these if (!empty($h["HTTP_PRAGMA"])) { $out[] = array(empty($h["HTTP_VIA"]) ? 0.3 : 0.1, self::CERTAINITY_LOW, "Pragma header"); } if (!empty($h["HTTP_RANGE"])) { $out[] = array(0.5, self::CERTAINITY_HIGH, "Range header"); } if (!empty($h["HTTP_PROXY_CONNECTION"])) { $out[] = array(0.2, self::CERTAINITY_LOW, "Proxy-Connection header"); } if (!empty($h["HTTP_REFERER"]) && ($cnt = substr_count($h["HTTP_REFERER"], "http://")) > 1) { $out[] = array(min(1.5, 0.5 + $cnt / 6), self::CERTAINITY_HIGH, "Multiple links in referrer"); } if (($cnt = count($p->getAuthorIPs())) > 4) { $out[] = array(($cnt - 2) / 10, $cnt > 7 ? self::CERTAINITY_HIGH : self::CERTAINITY_NORMAL, "Insane number of relays ({$cnt})"); } // Unpatched IE!? if (!empty($h["HTTP_USER_AGENT"]) && preg_match('/MSIE [456]\\.[0-9]; Windows (?:9|NT 5)/', $h['HTTP_USER_AGENT'])) { $out[] = array(0.3, self::CERTAINITY_NORMAL, "Unpatched IE"); } // Browsers almost always send these if (empty($h["HTTP_ACCEPT"])) { $out[] = array(0.7, self::CERTAINITY_NORMAL, "Missing Accept header"); } if (empty($h["HTTP_USER_AGENT"])) { $out[] = array(1, self::CERTAINITY_NORMAL, "Missing UA header"); } if (empty($h["HTTP_ACCEPT_LANGUAGE"])) { $out[] = array(0.5, self::CERTAINITY_NORMAL, "Missing Accept-Language header"); } if (empty($h["HTTP_ACCEPT_ENCODING"]) && empty($h["HTTP_VIA"]) && (empty($h["HTTP_USER_AGENT"]) || false === strpos($h["HTTP_USER_AGENT"], 'Mozilla/4.0 (compatible; MSIE '))) { $out[] = array(0.4, self::CERTAINITY_LOW, "Missing Accept-Encoding header"); } if (!empty($h["HTTP_ACCEPT_CHARSET"])) { $out[] = array(-0.2, self::CERTAINITY_LOW, "Has Accept-Charset header"); } // Non-transparent proxy must add Via header if (empty($h["HTTP_VIA"]) && (!empty($h['HTTP_X_FORWARDED_FOR']) || !empty($h['HTTP_MAX_FORWARDS']))) { $out[] = array(0.2, self::CERTAINITY_LOW, "Lame proxy"); } // TE: requires Connection:TE if (!empty($h["HTTP_TE"]) && (empty($h['HTTP_CONNECTION']) || !preg_match('!\\bTE\\b!', $h['HTTP_CONNECTION']))) { $out[] = array(0.2, self::CERTAINITY_NORMAL, "Invalid TE header"); } // Googlebot doesn't post comments! if (!empty($h['HTTP_USER_AGENT']) && preg_match('!Googlebot[/ -]|Slurp|Wget/|W3C_Validator|Advertise\\.com|nicebot|MMCrawler/|MSIECrawler|ia_archiver|WebaltBot/|nutbot\\.com|\\+http://search\\.!', $h['HTTP_USER_AGENT'])) { $out[] = array(1, self::CERTAINITY_NORMAL, "Bots don't post comments"); } // Headless browsers no thanks if (!empty($h['HTTP_USER_AGENT']) && preg_match('!PhantomJS|CasperJS!', $h['HTTP_USER_AGENT'])) { $out[] = array(1, self::CERTAINITY_HIGH, "Nice try, PhantomJS"); } if (!empty($h['HTTP_USERAGENT']) || !empty($h['HTTP_USER_AGENT']) && preg_match('!^User-Agent!i', $h['HTTP_USER_AGENT'])) { $out[] = array(1, self::CERTAINITY_NORMAL, "Really badly written bot"); } // I assume multipart forms are too tricky for most bots if (!empty($h['HTTP_CONTENT_LENGTH']) && !empty($h['HTTP_CONTENT_TYPE']) && preg_match('!^\\s*multipart/form-data\\s*;\\s*boundary\\s*=!i', $h['HTTP_CONTENT_TYPE'])) { $out[] = array(-0.2, self::CERTAINITY_LOW, "Multipart form"); } // browsers nicely decode and normalize paths, remove fragment part if (($path = $p->getPath()) && preg_match('!&|^https?://|^//|/%7e|#|\\.\\./!i', $path)) { $out[] = array(0.3, self::CERTAINITY_NORMAL, "Improperly encoded path"); } if (!empty($h["HTTP_REFERER"]) && preg_match('!&|/%7e|\\.\\./!i', $h["HTTP_REFERER"])) { $out[] = array(0.25, self::CERTAINITY_LOW, "Improperly encoded referer"); } if (count($out)) { return $out; } }