Replies (28)
Thanks for the write up.
Best to ignore counts and focus on the interaction and the person behind each interaction.
We still have work to do when it comes to hardening our relays. Thanks for your research, Ron!
Hello there!
Did you consider adding a how web of trust fixes this segment 👀
I did not for this exercise. Web of trust isn't a great control by itself as others like PGP/GPG have tried it prior and it's manipulatable as well.
For sure, followers, engagement, zaps can all be borked, comments now with LLMS can be pretty unique and seem like real engagement
I really like coracles web of trust metric, I'm sure it can also be spoofed with enough time, but any layer helps slightly
Thanks for the info!
WoT goes 96% of the way to solving this problem, we'll figure the remaining 4% out in-flight.
u not gonna open source ur script .... (jk)
That would probably have been better to test, honestly.
What you did so far is essentially already known and accepted.
I’m curious how WOT doesn’t work when everyone’s public keys are available.
How would WoT apply to other event types though? I can spam whatever data and event types I want, regardless of follower algorithms.
For followers it may, but how does that prevent me from spamming various event types? I'm looking at the bigger picture relay wise.
Interesting experiment. Nostr's decentralized relay can avoid malicious network attacks. And it will not affect the use of the client.
dis
Content is the real treasure, as you said. I am happy to know that my artwork was created by me since I made it and enjoyed doing it.
Have you heard of Dan?
On your takeaways:
> - over half the Nostr listed relays are using some sort of spam mitigation technique(s)
That's great to know!
> - the attack was still achieveable
Attack of what exactly? You wasted 10gb of space on some relays, and got to top on one app. Other apps were fine.
> - socal media is easily manipulated
Nostr? That specific app?
> follower counts and engagement are worthless
They work in some context and not in others. For algos, i.e. that order profiles by popularity, fc is bad, which was always known, and no "spam prevention" will change that.
> - content is the real treasure
How can this insight help improve the app that you attacked? How can it help prevent spam?
Breaking news: NOBODY HERE CARES ABOUT FOLLOWERS
If the sender pubkey is not in the WoT the entire event is discarded, event type is irrelevant
Relays can use a WoT score to prevent spam of any kind
I dig the experiment… there’s plenty in there that’ll help improve some apps and relays
It’s worth noting that you now have 1+ million followers who look like NPC’s following 1 person 0 followers 0 posts 0 interactions
You can start faking lots of these, like getting the NPC’s to follow each other and make generic posts
I used scripts like this in the 00’s (turn of the century😳) to beat Googles Page Rank algorithm… it worked back then… it wouldn’t work now
Quality over quantity… it’s too easy to spot low quality accounts… this too can be automated
You’re the first to highlight an old problem… thankfully there’s established solutions
Quality experiment ser… I applaud your thinking 🫡
Good lesson. Well played :)
That's truth!
Tldr
He wrote a script.
Now do one for how to get a million zaps 😉
Insight is the real treasure.
Easy. Two wallets, two accounts. Zap publicly, funnel back privately. Rinse, repeat.
Key takeaways:
- over half the Nostr listed relays are using some sort of spam mitigation technique(s)
- the attack was still achieveable
- socal media is easily manipulated
- follower counts and engagement are worthless
- content is the real treasure
