Replies (57)
Maybe. IMO those Intel agencies are quite active on nostr. Lots of influence ops here. I've suspected you, for example. Decided probably not.
There are other possibilities. A dev on nostr could want the platform to respond to real threats, and this may be a way to accelerate development. Perhaps a rethink of how we use relays is in order. Perhaps we need to develop on the "web of trust" idea, or move to an authentication standard. Doesn't it seem like the spam attacks have grown incrementally in annoyingness? Like someone is trying to get a response, and might be a little exasperated by us not hitting the solution they want. Idk. I see patterns.
I keep talking about some good ideas for developing on WoT
1. A web of trust relay that lets anyone in (at least temporarily) for submitting a note with enough mined NIP-13 proof of work
2. To combat AI spam, a robust tagging system with stuff like a standardized tag for "met in person to verify human identity at this timestamp" so that your web of trust can have filters like "known human npubs only"
I never thought of that lol
Porn bots or depraved Jews who don’t like you pointing out their bad behavior? Yesterday I posted a quote from Benjamin Netanyahu and Mahdoods Buddy posted a gay porn response. The only two people following Mahoods Buddy was CosmicWhispers and PhantomFabric, who were both following me. He has since removed them as followers. He also uses MatchdayBuzz to follow the people pointing out the Jews bad behavior.
All ideas can and should be tried. I'm a fan of simplicity, and it seems to me that the simplest solution is to have the client not show a note at all (in a reply) unless the note paid 1 sat to the OP. Its nothing. It can be lowered to a smaller unit when we get to smaller units. Some spam will still get through, if they pay, but most will stop when they math the total cost of an attack. I'd like to try this solution.
I'd never use it
1 sat per reply is already limiting for the global poor and that being the usual suggested amount shows why I don't trust the world to adjust the amount as needed
Amazing that I was a suspect. 😂
Yes, I definitely agree on your points. It could be a state actor (I err towards this being likely) but a dev forcing people to improve the platform is also a possibility. Or perhaps trying to get people onto their paid relays. One of the bots I saw had a message to remove nostr.land as a relay for the attacks to stop.
I imagine that if analytics show a drop in users following a bot attack, then that would be considered an effective strategy and expanded.
My first question is who stands to gain most from destroying a growing protocol in its early stages, when it is so very promising? That's what makes me most suspicious.
Couple it with the previous doxxing of fiatjaf as well as the media hitpiece labeling nostr as 'extremist' or 'far-right'. Anytime I see that, it's obvious there is a campaign to discredit.
I'm always getting follow notifications from those accounts. Need to look at removing them because they are blocked.
This is the MO of what they do to accounts calling them out on twitter, since the porn bots will destroy your reach. I guess schlomo hasn't yet figured out that there is no inherent algorithm here.
It's absolutely suspicious.
Pay per post seems like a good idea to try. I've thought the same. Or even pay an amount that gets returned to your after a certain period provided you weren't a bot or spammer.
But ain’t the mute button a blessing?
It's one solution, but it doesn't really work if there are dozens or more accounts.
I agree everything should be tried though
Proof-of-Work is unlikely to be effective for deterring spammers. Spammers easily operate at massive scales (botnets, server farms, cheap cloud). They can absorb the PoW cost more easily than legitimate users because spamming is a numbers game.
The meet-in-person (like in the old PGP era) is even less likely to work.
Tfw you realise that Comte is on to you for being a fed but then you remember you’re not a fed.
“Maybe. IMO those Intel agencies are quite active on nostr. Lots of influence ops here. I've suspected you, for example. Decided probably not.”
I think it was Solzhenitsyn who said that you must always question whether you're speaking to an informant. The Intel agencies have recreated the Soviet Union on the internet, and now we must always wonder if the person we're interacting with is one of them.
I benefit a lot from your notes. Despite that scary pfp.
He’s just an orc that’s kinda insensitive.
I'm gonna spout some pure conjecture here, but I suspect there are broadly two camps in the intelligence world : the commies, aka the black lodge ; and the rebel alliance, aka the white lodge. It just doesn't look like a unified force. There's some push back occurring and its not originating from plebs. Just my pattern recognition again... Could be wrong.
Ha! The character arc for this orc was that he's sensitive and falls to vampirism but emerges from his long night and becomes a champion for good!
🤔 you know its an orc... Fellow gamer recognized...
Professional sneak stabber here.
Too easy. Zwei-hander plus alteration mage armor, here
I suffered in childhood, now I’ve come to win.
Oh I relate...
🤝
That's why it's augmented with web of trust. Regular users who have established their npubs as non spam can post all they want without proof of work, so the proof of work requirement for new users can be as high as it needs to be to make spam manageable
From intel agencies to orcs within 2 hours!
All 24 of us on nostr are on our A game today!
Fair. Maybe a bunch of options and people customize their anti-spam strategy
Just adding some levity and not to distract us from the important conversation of who may or may not be an agent of the state.
Which is exactly what a fed agent would say….
Catch the game last night??
Yeah, as long as we don't interfere with each other both of our ideas should be usable
It does not make me want to leave as I have managed to set up nostr in a way that I do not see anything I don’t want to outside of a wot.
What it does do is prevent me from recommending people to use it. Clearly there is a lot of work that needs to be done on filtering content by default before we are ready for mainstream growth.
Defining an effective threshold for "as high as it needs to be" is the problem. And this is well known. PoW was abandoned as a spam deterrent in emails precisely because no threshold could simultaneously block spammers (especially those with access to server farms) and remain practical for legitimate users (particularly considering smartphone and low-powered devices).
And for emails it was actually easier (deterrence was against spamming millions of mails, not just sending few hundred events to saturate a relay).
For me it is really surprising to see PoW being tried again in Nostr: history shows it is not going to work.
I doubt there's any real evidence or reasoning to show proof of work isn't feasible for email.
Regardless, if you're sure the simple solution wouldn't work, you could try it with some increased complexity. The proof of work component could score posts based on a simple formula weighing proof of work against simple metrics like whether the
text matches other recent posts and whether it includes any links. These scores wouldn't matter for npubs within a given web of trust.
It doesn't make sense to give up on solving the problem just because you think the bare minimum solution isn't enough
Yes there is evidence, about 20y ago PoW for antispam was a huge research area. You can for instance read <<“Proof-of-Work” Proves Not to Work version 0.2>>, which is one of the most cited paper on this topic.
https://www.cl.cam.ac.uk/~rnc1/proofwork2.pdfThis is like Obama 2008 all over again. I had faith in you
wow... it works for me, right now.
Works for me now, will read in a bit and reply again 🤙
Skimmed it but didn't see anywhere that it would explain how pow spam filtering doesn't work for email
You should explain your point more yourself
How does it not work for email?
Why does it apply to email and nostr but not other onion services or Bitcoin?
It works like that: spammers are going to operate using powerful servers with lots of computing resources and minimal energy constraints—that's the nature of their activity. In contrast, legitimate users often rely on smartphones or low-powered devices.
This creates a fundamental problem for PoW as a spam mitigation strategy: there’s no viable threshold that can effectively hinder spammers without also significantly impairing regular users.
Bitcoin is very different, as its use of PoW is fundamentally different: it’s a competitive system where miners race to solve a game in a winner-takes-all model. That schema does not make sense in a microblogging protocol like Nostr.
You're not actually explaining how this is true.
On email, you're not showing where it goes wrong if I try to set up a proof of work email system. You keep saying legitimate users are "hindered" but not explaining how.
On Tor and Bitcoin, you didn't even mention Tor, and again, you didn't have an explanation of why it works for Bitcoin but not this, you simply stated you believe that
Ok, let me make an example.
In the paper the cost is in $, but let's simplify and use time. Let's say that we want a high PoW barrier, like 60s (average) to send an event to Nostr relays using a smartphone. Let's say that the same message costs on a server something like 10s, as the server is more powerful.
So the Nostr user will be pissed ok by waiting 60s to send a message, which will also drain his smartphone batteries.
On the other hand, the dedicated server of the spammer will send 8640 spam messages per day, flooding Nostr relays. And that's assuming the spammer has a single machine, but in reality could be a srvrfarm.
You can reduce the cost and make it even easier for the spammer.
For Tor I am not sure.
Bitcoin is very different: PoW is a competitive game to sign a block, it is not an antispam. There is no parallel to a messaging system.
It sounds like 60s just isn't a long enough delay in that scenario
And if you can't explain why this doesn't apply to Tor's proof of work spam filtering then that seems to confirm this isn't true
From a usability perspective, 60s would be a terrible user-experience design.
And that would not have any significant impact on spammers, that's the point.
Why would it make any difference waiting for 10s, if the spamming server is a dedicated machine? The enrgy cost on the spammer side would be negligible.
The point is to have the barrier be high enough to not be negligible for spammers, which means it can't be negligible for users either
The better UX comes from being able to post without being banned or filtered, not being fast
There is no PoW barrier high enough for spammers with dedicated machines.
Being horribly slow would only penalize legitimate users, not spammers.
Then why doesn't this apply to Tor and Bitcoin 🙄
In Tor I don't know how PoW is used.
Bitcoin is different. PoW is the goal of the game of signing a block. Every miner competes to complete the PoW before the others, and the first who completes wins and appends the next block. You cannot move this schema to relays. There is no "competitive game" to publish the next note or anything similar.
But it works. People wait the 10 minutes and the spam is filtered.
And with Tor it's basically the same as with email except with coders that did it instead of writing a paper saying it wouldn't work 😞
Interesting. I will search and read about that.
But I don't think you can wait 10 minutes of intensive computing on a smartphone to just send a message - it would make nostr unusable, and onboarding almost impossible.
I feel like the onboarding success rate would be higher than it is for paid relays or relays clogged with spam
So I now understand that Tor nodes can enable PoW as a defense mechanism against DDoS attacks, as described in
GitLab
proposals/327-pow-over-intro.txt · main · The Tor Project / Core / Tor Specifications · GitLab
Tor Specifications and Proposals
The goal is to mitigate connection-level flooding, such as when a botnet with thousands of compromised machines overwhelms onion services by initiating millions of introduction requests.
This is fundamentally a DDoS prevention mechanism, not an anti-spam strategy.
In contrast, if (or when?) Nostr relays are flooded with millions of spammy notes per second, one might consider applying a similar PoW-based throttle—e.g., requiring a 20-bit PoW, which takes about one second to compute. This would theoretically reduce the spam rate to thousands of notes per second per spammer node.
Would this actually be effective as an anti-spam?
Seems to me like it should be effective
And DDoS is definitely a type of spam
PoW is effective in the context of DDoS attacks, where an attacker generates millions of connections in a short time. In such cases, even a small computational cost per request, when multiplied by millions, becomes significant for the attacker, but remains manageable for legitimate users.
Spam, however, is a different problem. A spammer publishing just 1,000 notes per hour could still inflict substantial damage on Nostr relays, overwhelming storage and flooding the relay global feed. In this case, the computational cost of PoW (especially at < difficulty levels) is negligible for the attacker and not a meaningful deterrent.
The situation is much closer to the email spam problem, where PoW was also explored and ultimately abandoned due to its ineffectiveness. In fact, Nostr's case is arguably simpler from the spammer’s perspective: notes are public, require no targeting, and have virtually no delivery constraints.
So my initial point remains: NIP-13 is unlikely to be effective as a spam prevention mechanism, just as PoW proved ineffective against spam emails.
You're definitely wrong
If it didn't work with a simple threshold for what difficulty level is needed to join the web of trust, it would just need a simple formula accounting for things like whether there are any links, as I said before
Yes, restricting PoW to users outside the WoT is a thing, and makes somewhat sense.
But still I don't understand why not captchas or similar in this scenario. These are more effective than PoW, as they burn human mental resources, not just cheap CPU cycles, and are hard to automate.
I don't believe captchas are necessarily harder for bots than humans but definitely also worth a try since I could be wrong on that 🤙
