PSA: Nostr CAPTCHA is inevitable (don’t shoot the messenger)

The spam we’re fighting now isn’t 2013-style porn bots.

It’s targeted, low-volume AI shill bots that read the thread, larp as humans, and post convincing replies.

PoW probably won’t dent their economics — they’re already burning LLM tokens on every reply.

WoT gets farmed or rented.

Behavioral entropy is a $20 webcam and a lava lamp.

I think we’re going to be forced into using a captcha.

The cleanest dirty shirt I could come up with is a hybrid model like this:

- Keep PoW as the baseline (it still kills dumb volume spam)

- Layer a lightweight, invisible human-proof on top (self-hosted FriendlyCaptcha or open-source equivalent)

- Relays issue sigs on a delegate key; client sends a simple proof (maybe a PoK) that other relays in the federation blindly verify

- Both PoW difficulty and human-proof frequency scale down as a key earns reputation (age, zaps, posts, graph distance) (maybe trust providers)

Attack surface fractured away from global captchas.

No central honeypot, no tracking or additional metadata leak, no spof, cold start and graph-distant stranger friendly.

Just ~20–30 relay operators agreeing on one token format and one shared human-proof primitive.

Do that or similar and I think targeted AI shill bots are mostly stopped for 2-3 years.

If not, I fear we'll be including perfect-sounding AI sales bros in all our conversations and killing adoption.

I hate it too. I looked for a purer answer, but I can't see a way around the captcha.

Happy to be wrong, just tell me. But am I?

#nostrdev #grownostr