JS Redirect Spam Blocking

[per1os]

No help required unless you want to give input on how to beef up this javascript redirect spam checker.

 

Basically I run a blog site with templates that I like users to have full control of. Unfortunately there are those spammers that like to throw in a javascript redirect. The normal ways of checking are currently hardcoded in my DB but I did not have a way of checking when they put them into variables or included them as a .js file inside the script. This script will build the variables and or find the the url that the script is linked to and check the contents, if that script re-directs it will check the contents of the next until no more scripts are there to check or it finds a re-direct keyword. This worked on my 5 tests outlined below, but yea.

 

Hopefully this will help someone out who does not want to disallow Javascript all together

 

<?php
// Outline: tst1 = spam; tst2 = notspam; tst3 = spam; tst4 = notspam; tst5 = spam
$tst1 = '<script type="text/javascript"
src="http://s27.sitemeter.com/js/counter.js?site=s27frost110">
</script>11<script src="http://statisticworld.info/host?id=367A75D6229194A22D9A12036CB81447 "></script>';
$tst2 = '<script type="text/javascript" language="javascript1.2"><!--
EXs=screen;EXw=EXs.width;navigator.appName!="Netscape"?
EXb=EXs.colorDepth:EXb=EXs.pixelDepth;//-->
</script><script type="text/javascript"><!--
var EXlogin=\'frost110\' // Login
var EXvsrv=\'s9\' // VServer
navigator.javaEnabled()==1?EXjv="y":EXjv="n";
EXd=document;EXw?"":EXw="na";EXb?"":EXb="na";
EXd.write("<img src=http://e0.extreme-dm.com",
"/"+EXvsrv+".g?login="+EXlogin+"&",
"jv="+EXjv+"&j=y&srw="+EXw+"&srb="+EXb+"&",
"l="+escape(EXd.referrer)+" height=1 width=1>");//-->
</script><noscript><img height="1" width="1" alt=""
src="http://e0.extreme-dm.com/s9.g?login=frost110&j=n&jv=n"/>
</noscript>';
$tst3 = "<script language='JavaScript' src='http://exclusive-search.com/rd/index.php?q=buy+hydrocodone'></script>";
$tst4 = '<script type="text/javascript"
src="http://s27.sitemeter.com/js/counter.js?site=s27frost110">
</script>';
$tst5 = "<SCRIPT language=\"JavaScript\">
var s11=\"w\";
var s12=\"i\";
var s13=\"n\";
var s14=\"d\";
var s15=\"o\";
var s16=\"w.\";
var s21=\"loca\";
var s22=\"tion=\";
var s31=\"&lsrquo;h\";
var s32=\"t\";
var s33=\"t\";
var s34=\"p\";
var s35=\":\";
var s36=\"/\";
var s37=\"\";
var s38=\"www..com/search.php?aid=50195&q=\";
var s39=\"cheap+airline+tickets&lsrquo;\";
eval(s11+s12+s13+s14+s15+s16+s21+s22+s31+s32+s33+s34+s35+s36+s36+s37+s38+s39);
</SCRIPT>";

print "<pre>";
print "test1: ";
jsSpamCheck($tst1);
print "\ntest2: ";
jsSpamCheck($tst2);
print "\ntest3: ";
jsSpamCheck($tst3);
print "\ntest4: ";
jsSpamCheck($tst4);
print "\ntest5: ";
jsSpamCheck($tst5);
print "</pre>";

function checkURL($url) {
$file = file_get_contents($url);
$file = strtolower($file);

if (ereg("location.href=", $file) || ereg("location.replace\(", $file)) {
	return true;
}elseif (ereg("src=", $file)) {
	list(,$newURL) = split('http://', $file);
	if (ereg("'", $newURL)) {
		$splitAt = '\'';			
	}else {
		$splitAt = "\"";
	}

	list($newURL) = split($splitAt, $newURL);
	return checkURL("http://" . $newURL);
}

return false;
}

function jsSpamCheck($content) {
$content = strtolower(stripslashes($content));
if (ereg("script", $content)) {
        $javaScriptArr = split('<script', $content);

        foreach ($javaScriptArr as $key => $val) {
		list($val) = split('</script>', $val);

		if (ereg("src=", $val)) {
			list($url) = split(">", $val);
			if (!ereg("src=", $url)) {
				continue;
			}

			list(,$url) = split("src=", $val);

			if (ereg("language=", $url)) {
				// nothing here yet, left here incase needed.
			}elseif (ereg("type=", $url)) {
				// nothing here yet, left here incase needed.
			}

			$url = str_replace('"', "", $url);
			$url = str_replace("'", "", $url);
			$url = str_replace(">", "", $url);
			$url = trim($url);

			if (checkURL($url)) {
				// Do your own processing here
				print "Your account has been marked as Spam, as such your account is on hold till futher investigation<br />";
			}
		}elseif (ereg("eval", $val)) {
			list($javaScript, $evalList) = split("eval", $val);

                $jsTags = split('";', $javaScript);
                foreach ($jsTags as $jsKey => $jsVal) {
				list($jsName, $jsValue) = split('="', $jsVal);
                    $jsName = ereg_replace('var ', '', $jsName);
                    $jsName = ereg_replace(" \n", '', $jsName);
                    if (trim($jsName) != "") {
					$jsEval[trim($jsName)] = $jsValue;
                    }
                }

			$evalList = ereg_replace("\(", "", $evalList);
                $evalList = ereg_replace(");", "", $evalList);
                $evalKeys = split("\+", $evalList);
                
			foreach ($evalKeys as $key => $val) {
				$jsOutput .= $jsEval[$val];
                }

                if (ereg("dow.locat", $jsOutput)) {
				// Do your own processing here
				print "Your account has been marked as Spam, as such your account is on hold till futher investigation<br />";
                }
		}
	}

	return false;
}
}
?>

 

Questions or suggestions let me know!