It sounds like 60s just isn't a long enough delay in that scenario
And if you can't explain why this doesn't apply to Tor's proof of work spam filtering then that seems to confirm this isn't true
Discussion
From a usability perspective, 60s would be a terrible user-experience design.
And that would not have any significant impact on spammers, that's the point.
Why would it make any difference waiting for 10s, if the spamming server is a dedicated machine? The enrgy cost on the spammer side would be negligible.
The point is to have the barrier be high enough to not be negligible for spammers, which means it can't be negligible for users either
The better UX comes from being able to post without being banned or filtered, not being fast
There is no PoW barrier high enough for spammers with dedicated machines.
Being horribly slow would only penalize legitimate users, not spammers.
Then why doesn't this apply to Tor and Bitcoin π
In Tor I don't know how PoW is used.
Bitcoin is different. PoW is the goal of the game of signing a block. Every miner competes to complete the PoW before the others, and the first who completes wins and appends the next block. You cannot move this schema to relays. There is no "competitive game" to publish the next note or anything similar.
But it works. People wait the 10 minutes and the spam is filtered.
And with Tor it's basically the same as with email except with coders that did it instead of writing a paper saying it wouldn't work π
Interesting. I will search and read about that.
But I don't think you can wait 10 minutes of intensive computing on a smartphone to just send a message - it would make nostr unusable, and onboarding almost impossible.
I feel like the onboarding success rate would be higher than it is for paid relays or relays clogged with spam
So I now understand that Tor nodes can enable PoW as a defense mechanism against DDoS attacks, as described in
https://gitlab.torproject.org/tpo/core/torspec/-/blob/main/proposals/327-pow-over-intro.txt
The goal is to mitigate connection-level flooding, such as when a botnet with thousands of compromised machines overwhelms onion services by initiating millions of introduction requests.
This is fundamentally a DDoS prevention mechanism, not an anti-spam strategy.
In contrast, if (or when?) Nostr relays are flooded with millions of spammy notes per second, one might consider applying a similar PoW-based throttleβe.g., requiring a 20-bit PoW, which takes about one second to compute. This would theoretically reduce the spam rate to thousands of notes per second per spammer node.
Would this actually be effective as an anti-spam?
Seems to me like it should be effective
And DDoS is definitely a type of spam
PoW is effective in the context of DDoS attacks, where an attacker generates millions of connections in a short time. In such cases, even a small computational cost per request, when multiplied by millions, becomes significant for the attacker, but remains manageable for legitimate users.
Spam, however, is a different problem. A spammer publishing just 1,000 notes per hour could still inflict substantial damage on Nostr relays, overwhelming storage and flooding the relay global feed. In this case, the computational cost of PoW (especially at < difficulty levels) is negligible for the attacker and not a meaningful deterrent.
The situation is much closer to the email spam problem, where PoW was also explored and ultimately abandoned due to its ineffectiveness. In fact, Nostr's case is arguably simpler from the spammerβs perspective: notes are public, require no targeting, and have virtually no delivery constraints.
So my initial point remains: NIP-13 is unlikely to be effective as a spam prevention mechanism, just as PoW proved ineffective against spam emails.
You're definitely wrong
If it didn't work with a simple threshold for what difficulty level is needed to join the web of trust, it would just need a simple formula accounting for things like whether there are any links, as I said before
Yes, restricting PoW to users outside the WoT is a thing, and makes somewhat sense.
But still I don't understand why not captchas or similar in this scenario. These are more effective than PoW, as they burn human mental resources, not just cheap CPU cycles, and are hard to automate.
I don't believe captchas are necessarily harder for bots than humans but definitely also worth a try since I could be wrong on that π€