New Constants for Spoofchecker

Pretty much everybody who regularly travels the World Wide Web will, at some point have received messages, usually by email, offering potency-enhancing drugs, irresistible bitcoin deals, a seven-digit share inheritance, or worse.

A good part of those spam emails that -unfortunately- make up the “ambient noise” of the internet, are phishing mails that want to lure you into visiting a dubious website, mostly with the intent of stealing your private data. A part of the plot is to make the domain name look or sound as credible as possible.

As long as domain names were all ASCII characters, this required rather obvious additions or changes to the actual domain name. But since domain names can be made up out of any UTF-8 characters, the problem has gotten worse.

There are various characters in other character sets that look very similar to an ASCII i, for example. By substituting just one character, scammers can lure their victims onto their own website.

Luckily, the intl extension offers functionality to detect such substitutions. The Spoofchecker class, part of the intl extension since PHP 5.4, can tell you whether a string is suspicious, in the sense that it contains visually confusable characters, or invisible whitespace. This feature seems to be rarely used, since we could not even find documentation for the method setRestrictionLevel() that -since PHP 7.4- allows passing of one of the follwing new class constants:

The PHP documentation is, unfortunately, also not very specific about what these constants exactly do, and at the time of writing of this section, the links pointing to the documentation at the website of the original ICU project are broken. So, given the fact that Spoofchecker is rarely used, we will just have to leave you with no additional information, at least for now.

Note that PHP (or your icu extension, to be exact) must be linked against ICU 58.1 or newer. At the time of writing, version 67.1 is current, so 58.1 should not be a problem.