<?php

/****************************************************************************

	REF(errer)SPAM FUCKER 3000
	v1.1, April 8th 2004
	(c) Carlo Zottmann, carlo@g-blog.net, http://G-Spotting.net

	This script is supposed to parse an Apache log file, look for all domains
	that exceed a certain amount of accesses (threshold is set as percentage
	of all accesses), normalize/generalize them and then add it to a
	.htaccess file in order to block those domains for the future.

	Example ruleset generated by this script:

		### REFSPAM FUCKER 3000 ### START
		SetEnvIfNoCase Referer ".*(intralinx).*" BadReferrer
		SetEnvIfNoCase Referer ".*(health-shop).*" BadReferrer
		SetEnvIfNoCase Referer ".*(moneyblaster).*" BadReferrer
		SetEnvIfNoCase Referer ".*(bartertraffic).*" BadReferrer
		# NOBLOCK google
		# NOBLOCK vivisimo
		# NOBLOCK feedster
		order deny,allow
		deny from env=BadReferrer
		### REFSPAM FUCKER 3000 ### END

	Please note that the rules are added to the very top of the .htaccess
	file. The file is opened, the lines are appended, then the file is
	written again. It doesn't overwrite anything in your .htaccess file.
	It still might be a good idea to BACKUP your .htaccess file prior to
	running this script.

	I run RefSpamFucker3000 every night on my spam-ridden domains, so the
	blocking process is fully automated for me. Which is good.

	It might not be perfect, but it works for me. YMMV. Also, the script is
	not very tidy -- it was a half-an-hour job, and I decided to work like
	evolution: it does the job, so it's good enough.

	-Carlo


	CHANGELOG

	- 3000 v1.1, April 8th 2004: Changed the format of the blocking rules,
	  namely the parenthesis were removed, they didn't make sense anyways,
	  also this makes the rules written by RSF3000 (this one) and RSF300*
	  (the souped-up manual version) compatible again.
	  Added support for exclusion tags - example:
	  "# IGNORE google" will exclude .*google.* from accidental blocking.
	  These tags were introduced in Referrer Spam Fucker 3001 (and up), the
	  manual version of this script. WHICH YOU SHOULD CHECK OUT @
	  http://docs.g-blog.net/code/RefSpamFucker/ :)


	THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
	IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
	OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
	IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
	INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
	NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
	DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
	THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
	(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
	THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

****************************************************************************/


// The location of the logfile
$logfile_name		= "/path/to/your/logfile/access.log";

// The .htaccess that is supposed to be altered. MUST be writable!
$htaccess_file		= "/path/to/your/docroot/writable/.htaccess";

// If a referrer caused more than $threshold_percent% of all accesses, it's
// considered spam.
$threshold_percent	= 1;

// Your domain this script will run for, after all, you don't want your
// own domain get blacklisted. ;)
$good_ref_host		= 'my.domain.net';


// Open the logfile
$logfile		= file($logfile_name) or die("Logfile couldn't be read, exit!");
$num_accesses	= count($logfile);

// Parse the logfile
foreach ($logfile as $key => $line)
{
	preg_match('/"(GET|POST).+" [0-9]+ [0-9]+ "(.+)"/Ui', $line, $matches);

	if (!preg_match('/^(|-)$/', $matches[2]))
	{
		if (!stristr($matches[2], $good_ref_host))
		{
			$ref_url = parse_url($matches[2]);

			// Normalize the referrers
			$ref_url['mainhost'] = preg_replace('/^www\./Ui', '', $ref_url['host']);
			$ref_url['mainhost'] = preg_replace('/\.[a-z]{2,7}$/Ui', '', $ref_url['mainhost']);

			$access_details[$ref_url['mainhost']] = isset($access_details[$ref_url['mainhost']]) ? ($access_details[$ref_url['mainhost']] + 1) : 1;
		}
	}
}

$threshold = ($num_accesses / 100) * $threshold_percent;
$num_valid = 0;

// Start looking for spam
foreach ($access_details as $address => $number)
{
	if ($number <= $threshold || preg_match('/^(|-)$/', trim($address)))
	{
		unset($access_details[$address]);
		$num_valid++;
	}
}

// Read the .htaccess file
$htaccess = @file($htaccess_file);
$htaccess = is_array($htaccess) ? $htaccess : array();

// First run of this script? If yes, append the necessary code
if (!stristr($htaccess[0], '### REFSPAM FUCKER 3000 ### START'))
{
	array_unshift($htaccess, '### REFSPAM FUCKER 3000 ### START ### DO NOT REMOVE OR MOVE THIS BLOCK',
							'order deny,allow',
							'deny from env=BadReferrer',
							'### REFSPAM FUCKER 3000 ### END',
							'### (c) CARLO ZOTTMANN, http://G-Spotting.net/', '', '');
}

// Prepare for adding the new spammers: get rid of '### REFSPAM FUCKER 3000 ### START'
array_shift($htaccess);

// Append new anti-spam rules
foreach ($access_details as $key => $val)
{
	$new_rule = 'SetEnvIfNoCase Referer ".*'.str_replace('.', '\.', $key).'.*" BadReferrer';

	if (!in_array("$new_rule\n", $htaccess) && !preg_grep("/^# (WATCH|NOBLOCK|IGNORE) ".str_replace('.', '\.', $key)."\s?$/", $htaccess))
	{
		array_unshift($htaccess, $new_rule);
	}
}

array_unshift($htaccess, '### REFSPAM FUCKER 3000 ### START');


// Write .htaccess file
if ($fp = fopen($htaccess_file, 'w'))
{
	for ($a = 0; $a < count($htaccess); $a++)
	{
		fwrite($fp, trim($htaccess[$a])."\n");
	}

	fclose($fp);
}

// Done!

?>