Author: S.Sblam (10 Aug 07 8:15am)
You're setting 'notabot' cookie. Although unlikely, spammer could target you script and always send this cookie, thus bypassing protection completly.
It would be safe if you used PHP's session mechanism instead.
$type & 0 won't work (there are no bits in 0 to check for). In this special case you should use $type==0.
http:BL doesn't filter out dynamic IPs, so the result isn't 100% certain. Blocking comment spammers with any threat level might be too restrictive. You can remedy this a bit by taking into account age of listing. For example:
$threat = $threat * 5 / ($age+5))
This will halve threat level if listing is 5 days old, 1/3rd of threat for 10-day old, etc.
You can make blocking even more precise (with less false positives) if you block POST request from comment spammers and GET requests form harvesters, but not vice-versa.