Defenses/vCore Changing
Defenses in vCore are changing. I've already noted the primary blocker will be URL based rather than domain-based, but domain-based won't be going away, either.
Since the implementation of spam defenses on Varus Online, most of the blocks have been robots, and few humans. The Robots:Humans ratio increased after the defense renovation in late 2008, with only 3 human blocks amidst thousands of blocked robots.
The single-list strategy is proving itself to be problematic. We want to block links from certain domains, but not necessarily mail, and we want to block mail from certain domains, but not necessarily links. Domain-based blocking will be retained in vCore, but now two lists will be maintained - links and domains. Domain-based blocking is the ultimate last resort for links, we will use URL-based blocking as much as possible.
Since it was discovered people may grab a session ID, solve the image for it, then give that session ID to their bots and fraudulently register thousands of accounts, we have used User-Agent comparisons since its rather rare the person's User-Agent matches that of their robots. In cases where Varus Online has seen exactly this kind of attack, the IPs of the robots were outside the Class-C subnet the human was using. The system already had a built-in defense for that. User-Agent matching has prevented 2 robots and roughly 363 people from using the same session ID. In every human case, a browser update was performed. User-Agent matching will no longer be done in vCore. The alternative is using FormKit to prevent robot registrations.
vCore will also be using Defensio to perform spam checking. Defensio will be the final entry in the defense checklist for every new post, this allows our other defenses to take precedence and fail a post before it can be checked by Defensio. If a post is failed before it reaches Defensio, then Defensio will be skipped. This is for billing purposes (read: cost-cutting).
We will also be setting up additional mailboxes which the system will check. We will be launching our very own email honeypot to assist in populating our defense information.
VOCASystem CrossLink/vCore AppLink will provide up to 20,000 spam checks for free and over that, standard vCore AppLink API billing applies ($1 per 10,000 requests over the free limits). Premium mode will be required for the spam checks, and information gathered via Defensio will be omitted from the results (get your own Defensio account, they really aren't expensive).
Customers of "vCore Powered", the hosting service, will be able to enter their Defensio account information and enable vCore to use Defensio for their sites in the hosting control panel. Customers of vCore Powered will not be required to get an AppLink key or pay for using it, since vCore accesses its stuff directly (besides, it wouldn't be right since vCore Powered will be a premium hosting service).
As much as I'd love to, I can't go over all the new defense details. The entire defense subsystem for vCore is mapped out, but not all of it has been implemented. This past week, a number of performance improvements have been done with our nginx configuration and vCore. vCore is now less of a monolithic application framework and more of a flexible system. Rebirth Core Foundation Software, originally forked from vCore, is now being merged with vCore and is now considered an end-of-life product. There is a possibility we may rename vCore Platform to Rebirth CFS or Rebirth Platform, as this name integrates better with the general theme of our new company.
Since the implementation of spam defenses on Varus Online, most of the blocks have been robots, and few humans. The Robots:Humans ratio increased after the defense renovation in late 2008, with only 3 human blocks amidst thousands of blocked robots.
The single-list strategy is proving itself to be problematic. We want to block links from certain domains, but not necessarily mail, and we want to block mail from certain domains, but not necessarily links. Domain-based blocking will be retained in vCore, but now two lists will be maintained - links and domains. Domain-based blocking is the ultimate last resort for links, we will use URL-based blocking as much as possible.
Since it was discovered people may grab a session ID, solve the image for it, then give that session ID to their bots and fraudulently register thousands of accounts, we have used User-Agent comparisons since its rather rare the person's User-Agent matches that of their robots. In cases where Varus Online has seen exactly this kind of attack, the IPs of the robots were outside the Class-C subnet the human was using. The system already had a built-in defense for that. User-Agent matching has prevented 2 robots and roughly 363 people from using the same session ID. In every human case, a browser update was performed. User-Agent matching will no longer be done in vCore. The alternative is using FormKit to prevent robot registrations.
vCore will also be using Defensio to perform spam checking. Defensio will be the final entry in the defense checklist for every new post, this allows our other defenses to take precedence and fail a post before it can be checked by Defensio. If a post is failed before it reaches Defensio, then Defensio will be skipped. This is for billing purposes (read: cost-cutting).
We will also be setting up additional mailboxes which the system will check. We will be launching our very own email honeypot to assist in populating our defense information.
VOCASystem CrossLink/vCore AppLink will provide up to 20,000 spam checks for free and over that, standard vCore AppLink API billing applies ($1 per 10,000 requests over the free limits). Premium mode will be required for the spam checks, and information gathered via Defensio will be omitted from the results (get your own Defensio account, they really aren't expensive).
Customers of "vCore Powered", the hosting service, will be able to enter their Defensio account information and enable vCore to use Defensio for their sites in the hosting control panel. Customers of vCore Powered will not be required to get an AppLink key or pay for using it, since vCore accesses its stuff directly (besides, it wouldn't be right since vCore Powered will be a premium hosting service).
As much as I'd love to, I can't go over all the new defense details. The entire defense subsystem for vCore is mapped out, but not all of it has been implemented. This past week, a number of performance improvements have been done with our nginx configuration and vCore. vCore is now less of a monolithic application framework and more of a flexible system. Rebirth Core Foundation Software, originally forked from vCore, is now being merged with vCore and is now considered an end-of-life product. There is a possibility we may rename vCore Platform to Rebirth CFS or Rebirth Platform, as this name integrates better with the general theme of our new company.