<?php
/*
Plugin Name: Three Strikes TarPit
Version: 0.0
Plugin URI: http://www.robertcorr.net/blog/2004/10/28/three-strikes-tarpit/
Description: Uses Mark Ghosh's excellent Three Strikes spam detection method, and then sticks the spammer in Dougall Campbell's TarPit.
Author: Robert Corr
Author URI: http://www.robertcorr.net/blog/
License: GPL

History: Three Strikes 1.1 Beta + TarPit 1.3

*/

/*** Configuration: you can customize these settings: ***/

// The delete threshold. If too much spam is getting through, decrease the number. If too many legitimate comments are deleted, increase the number.
		$SpamThreshold = 3;

// How many seconds to delay the spammer:
$tarpit = 5;

// If true, automatically match IP numbers listed in moderation_keys
$use_moderation_keys = true;

// If true, send and email to the blog admin
$send_email = true;


/*** End Configuration (you shouldn't need to edit anything else) ***/

//This is URL Decode, much like javascript unescape
//http://www.yuki-onna.co.uk/html/encode.html
function utf8RawUrlDecode ($source) {
    $decodedStr = '';
    $pos = 0;
    $len = strlen ($source);
    while ($pos < $len) {
        $charAt = substr ($source, $pos, 1);
        if ($charAt == '%') {
            $pos++;
            $charAt = substr ($source, $pos, 1);
            if ($charAt == 'u') {
                // we got a unicode character
                $pos++;
                $unicodeHexVal = substr ($source, $pos, 4);
                $unicode = hexdec ($unicodeHexVal);
                $entity = "&#". $unicode . ';';
                $decodedStr .= utf8_encode ($entity);
                $pos += 4;
            }
            else {
                // we have an escaped ascii character
                $hexVal = substr ($source, $pos, 2);
                $decodedStr .= chr (hexdec ($hexVal));
                $pos += 2;
            }
        }
        else {
            $decodedStr .= $charAt;
            $pos++;
        }
    }
    return $decodedStr;
}


$strikes = 0;
if ($_POST['comment'] && !is_array($_POST['comment'])) {
	//Make sure the information received is parsed, cleaned and stripped correctly (from WP codebase)
	if (!get_magic_quotes_gpc()) {
		$_POST   = add_magic_quotes($_POST);
		$_COOKIE = add_magic_quotes($_COOKIE);
	}

	$author = trim(strip_tags($_POST['author']));
	$email = trim(strip_tags($_POST['email']));
	if (strlen($email) < 6)
		$email = '';
	$url = trim(strip_tags($_POST['url']));
	$url = ((!stristr($url, '://')) && ($url != '')) ? 'http://'.$url : $url;
	if (strlen($url) < 7)
		$url = '';
	$comment = trim($_POST['comment']);
	$user_ip = $_SERVER['REMOTE_ADDR'];
	$comment = balanceTags($comment, 1);
	$comment = format_to_post($comment);
	$comment = apply_filters('post_comment_text', $comment);
	
	//Make sure we check the encoded version of the comments and the URLs as well
	$author_encoded = utf8RawUrlDecode($author);
	$email_encoded = utf8RawUrlDecode($email);
	$url_encoded = utf8RawUrlDecode($url);
	$comment_encoded = utf8RawUrlDecode($comment);

	//Strike: Check the number of links in the comment, first strike if more than one
	if ( (count(explode('http:', $comment)) - 1) >= get_settings('comment_max_links') )
		$strike += 1;

	//Strike: If there is a Spam Words Match, you have two strikes
	$words = explode("\n", get_settings('moderation_keys') );
	foreach ($words as $word) {
	$word = trim($word);
	$pattern = "#$word#i";
		if ( preg_match($pattern, $author) ) $strike += 1;
		if ( preg_match($pattern, $email) ) $strike += 1;
		if ( preg_match($pattern, $url) ) $strike += 1;
		if ( preg_match($pattern, $comment) ) $strike += 1;
		if ( preg_match($pattern, $user_ip) ) $strike += 1;
		if ( preg_match($pattern, $author_encoded) ) $strike += 1;
		if ( preg_match($pattern, $email_encoded) ) $strike += 1;
		if ( preg_match($pattern, $url_encoded) ) $strike += 1;
		if ( preg_match($pattern, $comment_encoded) ) $strike += 1;
	}

	//This code is from Dougal's Spam Tar Pit
	// If using moderation_keys, get the IPs and add them to the list
	$modkeys = get_settings( 'moderation_keys' );
	// Got this monster regexp from http://www.regular-expressions.info/examples.html
	$ip_regex = '/^\s*(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\s*$/m';
	$mcount = preg_match_all( $ip_regex, $modkeys, $match_ips );
	$matches = $match_ips[0];
	if ( count( $matches ) > 0 ) {
		// Add IP numbers found
		foreach ( $matches as $ip ) {
			$ip = trim($ip);
			$spammer_ips[] = "/^$ip$/";
		}
	}

	// Strike: Match current visitor IP against banned addresses, every match is a major "strike"
	if ( is_array( $spammer_ips ) ) {
		foreach ($spammer_ips as $ip) {
			if ( preg_match( $ip, $_SERVER['REMOTE_ADDR'] ) ) {
				$strike += 5;
			}
		}
	}

	//Strike: If there is no referer for the posted comment, that is, it did not come from the blog, another strike
	if ('' == $_SERVER['HTTP_REFERER']) {
		$strike += 1;
	}


	//This is where the strikes are processed.
	if ($strike >= $SpamThreshold) {
			// Send an email
			if ($send_email) {
				tarpit_mail();
			}
			// Too many strikes. Into the pit!
			sleep( $tarpit );
			@header('Status: 403 forbidden',403);
			@header('Content-type: text/plain');
echo <<<TXT
COMMENT SPAM DETECTED

Sorry, but this comment looks like spam,
and has been blocked.

This might be because the comment was
posted from a known spammer's IP
address, contained a suspicious number
of hyperlinks, or contained too many
spam-like terms (like "viagra" and
"poker").

Please feel free to try posting your
comment again (you can cut and paste it
from below), but try to reduce the number
of links or change some of the words you
used.


================================
YOUR COMMENT
--------------------------------

$comment

================================




Three Strikes TarPit Plugin
http://www.robertcorr.net/blog/2004/10/28/three-strikes-tarpit/
TXT;
			exit();

	}
}

function tarpit_mail() {
	// Info about the visitor
	$ip = $_SERVER['REMOTE_ADDR'];
	$referer = $_SERVER['HTTP_REFERER'];
	$client= $_SERVER['HTTP_USER_AGENT'];
	$request= $_SERVER['REQUEST_METHOD'] . ' ' . $_SERVER['REQUEST_URI'];
	
	// Message info
	//   server timestamp
	$time = date("r");
	//   blog admin
	$recipient = get_settings('admin_email');
	//   message subject
	$subj = "[Spam] Blog spam blocked: $ip";

	$msg = <<<MSG
The Spammer TarPit has blocked a request to your site. The details of 
the request were as follows:

===================================

Time: $time

Source IP: $ip	

Referer: $referer

Client: $client

HTTP Request: $request

===================================


PLEASE NOTE:

Blocking by IP number is unreliable, because most IP numbers are 
assigned to internet users dynamically by their ISPs. If you have
not recently seen abusive activity from this source, you may want
to consider removing it from the "Comment Moderation" settings in
the WordPress "Discussion Options" admin screen.
	
-- 
Three Strikes TarPit Plugin

MSG;

	// Set a friendlier mail sender address:
	$headers = "From: Blog Spam <" . $recipient . ">\r\n";

	// send the message
	@mail($recipient, $subj, $msg, $headers);
}

?>