|
8 | 8 | * License: GNU/GPLv2 |
9 | 9 | * @see LICENSE.txt |
10 | 10 | * |
11 | | - * This file: Referrer spam module (last modified: 2026.01.14). |
| 11 | + * This file: Referrer spam module (last modified: 2026.03.18). |
12 | 12 | * |
13 | 13 | * False positive risk (an approximate, rough estimate only): « [ ]Low [x]Medium [ ]High » |
14 | 14 | */ |
|
31 | 31 | } |
32 | 32 |
|
33 | 33 | /** Process to get the domain part. */ |
34 | | - $Domain = preg_replace(['~^[a-z]+:[\\/]*(?:www\d*\.)?~i', '~[\\/:].*$~', '[ \n\r]'], '', $this->BlockInfo['Referrer']); |
| 34 | + $Domain = \preg_replace(['~^[a-z]+:[\\/]*(?:www\d*\.)?~i', '~[\\/:].*$~', '[ \n\r]'], '', $this->BlockInfo['Referrer']); |
35 | 35 |
|
36 | 36 | /** Lower-case domain part. */ |
37 | | - $RefLC = strtolower($Domain); |
| 37 | + $RefLC = \strtolower($Domain); |
38 | 38 |
|
39 | 39 | /** Convert punycode to UTF-8 (as long as Intl is available). */ |
40 | | - if (strpos($RefLC, 'xn--') !== false && function_exists('idn_to_utf8')) { |
41 | | - $Domain = explode('.', $Domain); |
| 40 | + if (\strpos($RefLC, 'xn--') !== false && \function_exists('idn_to_utf8')) { |
| 41 | + $Domain = \explode('.', $Domain); |
42 | 42 | foreach ($Domain as &$DomainPart) { |
43 | | - if (strtolower(substr($DomainPart, 0, 4)) !== 'xn--') { |
| 43 | + if (\strtolower(\substr($DomainPart, 0, 4)) !== 'xn--') { |
44 | 44 | continue; |
45 | 45 | } |
46 | 46 | try { |
47 | | - $DomainPartTest = idn_to_utf8($DomainPart); |
| 47 | + $DomainPartTest = \idn_to_utf8($DomainPart); |
48 | 48 | if ($DomainPartTest) { |
49 | 49 | $DomainPart = $DomainPartTest; |
50 | 50 | } |
51 | 51 | } catch (\Exception $e) { |
52 | 52 | } |
53 | 53 | } |
54 | 54 | unset($DomainPartTest, $e, $DomainPart); |
55 | | - $Domain = implode('.', $Domain); |
| 55 | + $Domain = \implode('.', $Domain); |
56 | 56 | } |
57 | 57 |
|
58 | 58 | /** Signatures begin here. */ |
59 | 59 | if ( |
60 | | - $this->trigger(preg_match( |
| 60 | + $this->trigger(\preg_match( |
61 | 61 | '~(?:(?:\d{1,8}[a-z]{1,2}|a(?:dviceforum|llknow|llwomen|rtdeko|vkzaraboto' . |
62 | 62 | 'k)|b(?:estoffer[a-z]{1,8}|if-ru|izru|luerobot|rillianty|uy-cheap-online)' . |
63 | 63 | '|call-of-duty|earnian-money|f(?:inansov|or-marketersy|orsex|orum69|reeno' . |
|
84 | 84 | 'ue)\.xyz)$~i', |
85 | 85 | $Domain |
86 | 86 | ), 'Referrer spam detected (' . $Domain . ')') || // (info, site, top, tv, xyz) 2020.04.13 |
87 | | - $this->trigger(preg_match( |
| 87 | + $this->trigger(\preg_match( |
88 | 88 | '~(?:(?:(?:ai-?|auto|-)seo-(?:services?|traffic)|3(?:-letter-domains|wayn' . |
89 | 89 | 'etworks)?|\d-\d{0,4}(?:seo|best|free)(?:-?seo|-?best|-?free|-?share-butt' . |
90 | 90 | 'ons)|\d{0,4}(?:-reasons-for-seo|dollars-seo|searchengines)|\d{1,2}(?:\D' . |
|
99 | 99 | 'vice|solution|tip)s?)\.(?:blue|com|pro|tk))$~i', |
100 | 100 | $Domain |
101 | 101 | ), 'Referrer spam detected (' . $Domain . ')') || // (Generic SEO/traffic refspam) 2019.09.28 |
102 | | - $this->trigger(preg_match( |
| 102 | + $this->trigger(\preg_match( |
103 | 103 | '~(?:-blanca|-fulldrive|-zheleza|[a-z]{2,3}-lk-rt|allvacancy|artclipart|b' . |
104 | 104 | 'eclean-nn|dev-seo|dojki-devki|ege-essay|englishtopic|fialka\.tomsk|gelst' . |
105 | 105 | 'ate|gidonline|hit-kino|iskussnica|kabinet-[-a-z\d]{1,16}|lalalove|mamyli' . |
|
108 | 108 | 'ufa|ximoda|your-tales)\.(?:blog|mobi|ru)$~i', |
109 | 109 | $Domain |
110 | 110 | ), 'Referrer spam detected (' . $Domain . ')') || // (blog, mobi, ru) 2019.09.28 |
111 | | - $this->trigger(preg_match( |
| 111 | + $this->trigger(\preg_match( |
112 | 112 | '~(?:(?:-kredit|predmety|ukrtvory|пептиды|zagadki)\.in|-dereva\.kiev|auto' . |
113 | 113 | 'blog\.org|credit\.co|(?:kakadu-interior|naturalpharm|shopfishing|supermo' . |
114 | 114 | 'dni|vezdevoz)\.com)\.ua$|(?:ecommerce-seo|generalporn)\.org|-on-you\.ga|' . |
|
119 | 119 | '|xtraffic\.|fetish\.(?:com|site)$|coast\.com$|library\.cc$~i', |
120 | 120 | $Domain |
121 | 121 | ), 'Referrer spam detected (' . $Domain . ')') || // (ua, su, porn refspam, etc) 2020.04.13 |
122 | | - $this->trigger(preg_match( |
| 122 | + $this->trigger(\preg_match( |
123 | 123 | '~(?:(?:drev|mrbojikobi4|s-forum)\.biz|infogame\.name|(?:expediacustomers' . |
124 | 124 | 'ervicenumber|kinostar)\.online|(?:anabolics|veles)\.shop)$~i', |
125 | 125 | $Domain |
126 | 126 | ), 'Referrer spam detected (' . $Domain . ')') || // (biz, name, online, shop) 2019.09.28 |
127 | | - $this->trigger(preg_match( |
| 127 | + $this->trigger(\preg_match( |
128 | 128 | '~(?:aitiman\.ae|rutor\.group|(?:medbrowse|piluli)\.info|(?:dantk|kazlent' . |
129 | 129 | 'a)\.kz|rxshop\.md|(?:belreferatov|mnogabukaff|sexuria|sssexxx|torrentgam' . |
130 | 130 | 'er)\.net|vseigru\.one|draniki\.org|vpdr\.pl)$~i', |
131 | 131 | $Domain |
132 | 132 | ), 'Referrer spam detected (' . $Domain . ')') || // (misc. other) 2019.09.28 |
133 | | - $this->trigger(preg_match( |
| 133 | + $this->trigger(\preg_match( |
134 | 134 | '~(?:-poesie?|(?:arabic|spain)-poetry|-v-krym|\d[a-z]{2}\d|24h|4-less|alb' . |
135 | 135 | 'uteroli|automobile-spec|avcoast|backlinks-fast-top|baixar-musicas-gratis' . |
136 | 136 | '|beauty-lesson|bestfortraders|bin-brokers|break-the-chains|buttons?-for-' . |
|
153 | 153 | } |
154 | 154 |
|
155 | 155 | if ($this->trigger( |
156 | | - preg_match('~delta-?search|vi-view\.com~i', $Domain), |
| 156 | + \preg_match('~delta-?search|vi-view\.com~i', $Domain), |
157 | 157 | 'Referrer spam detected (' . $Domain . ')' |
158 | 158 | )) { |
159 | 159 | $this->Reporter->report([10, 20], [ |
160 | 160 | 'Referrer spam with recognised correlation to malware originating from this address detected (host might be compromised).' |
161 | 161 | ], $this->BlockInfo['IPAddr']); |
162 | 162 | } // 2019.08.12 |
163 | 163 |
|
164 | | - if ($this->trigger(preg_match( |
| 164 | + if ($this->trigger(\preg_match( |
165 | 165 | '~(?:[-b-df-hj-np-tv-z\d\.]{5}\.xyz|\.(?:country|cricket|gq|kim|link|part' . |
166 | 166 | 'y|review|science|work|xxx|xzone|zip)|powernetshop\.at|3w1\.eu|(?:cat-tre' . |
167 | 167 | 'e-house|doctoryuval|justfree|netvibes|traf(?:ers|ficfaker)|webscutest)\.' . |
|
174 | 174 | ], $this->BlockInfo['IPAddr']); |
175 | 175 | } // 2019.08.14 mod 2026.01.14 (removed some old entries) |
176 | 176 |
|
177 | | - if ($this->trigger(preg_match( |
| 177 | + if ($this->trigger(\preg_match( |
178 | 178 | '~(?:android-style|anti-crisis-seo|hvd-store|med-dopomoga|oohlivecams|pai' . |
179 | 179 | 'nting-planet|vzubkah)\.com|quickchange\.cc|(?:sharebutton|spravkavspb)\.' . |
180 | 180 | 'net|elvel\.com\.ua|shoppingmiracles\.co\.uk|(?:biz-law|brothers-smaller|' . |
|
193 | 193 | ], $this->BlockInfo['IPAddr']); |
194 | 194 | } // (circa ~2020 additions) 2020.04.13 |
195 | 195 |
|
196 | | - if ($this->trigger(preg_match( |
| 196 | + if ($this->trigger(\preg_match( |
197 | 197 | '~anonymousfox\.co|binance\.com~i', |
198 | 198 | $Domain |
199 | 199 | ), 'Referrer spam detected (' . $Domain . ')')) { |
|
202 | 202 | ], $this->BlockInfo['IPAddr']); |
203 | 203 | } // 2023.06.16 |
204 | 204 |
|
205 | | - if ($this->trigger(preg_match('~//blog//wp-login\.php$~i', $this->BlockInfo['Referrer']), 'Hack attempt via referrer header injection detected')) { |
| 205 | + if ($this->trigger(\preg_match('~//blog//wp-login\.php$~i', $this->BlockInfo['Referrer']), 'Hack attempt via referrer header injection detected')) { |
206 | 206 | $this->Reporter->report([10, 15, 21], ['Hack attempt via referrer header injection detected.'], $this->BlockInfo['IPAddr']); |
207 | 207 | } // 2025.07.24 |
208 | 208 |
|
|
0 commit comments