There will always be an incentive for Sybil attacks, spam is just the lowest rung on the ladder. More sophisticated attacks, for example by bootstrapping a sybil in-group via social engineering in order to effectively hijack identity or phish people will be worth the cost of PoW since they might be able to manipulate public information or gain access to trusted information.
Discussion
That's why certain issues need to be on a per occurrence basis. But i think a simple POW (no reason it needs ASICs) would block the initial, very low hanging data spam. The automated fake accounts as a good example. Someone is just generating keys en masse and throwing out web requests to relays and bloating a bunch of "follow" events and there's virtually no cost for them to do this.
Add even just a second or 2 of POW for the average mobile device -- and you can even regulate it by the frequency of new requests from the same IP address (ie. maybe incrementally make POW harder if you get 100 of these requests in under 1 minute from the same IP), and I bet 90% of this disappears almost immediately.
I have evidence that this isn't true, a few weeks ago someone scripted Coracle using puppeteer to create a bunch of fake accounts. I don't know why you would do that when you can just publish the events, but it demonstrates that the bar needs to be higher than just a few seconds of PoW, since running Chrome is much more expensive than computing PoW, and yet it was a viable vector for spam.
PoW for antispam is gonna be useless if that PoW has an ASIC for it.
i've studied the subject extensively and the only time i saw an example of PoW that was remotely viable it was bound to creating commitments for spends of coins for a duration of time (it was an eth fork) and the number of solutions allowed per account per minimum amount was pretty small. making other accounts of course you could 'stake' on more but yeah, point being that it depended on real economic limitations, so to speak.
as i see it, nostr's going to have a spam problem without the notion of a pay-per-byte model for posting, in the long run. we just haven't seen enough adoption to lead to that.
which is also why the "adoption at any cost" types should be eyed with suspicion since we aren't ready. but hey, it's the endless war between marketing and dev right?
What about rentable ASICs? In other words, a client would call a DVM or http endpoint to get the PoW from a provider, then publish it. Another idea I've had but can't really evaluate is proof of burn. This anchors work to real value without requiring the payment to actually go anywhere.
I do think the ideal solution would be something like reverse-zaps, where an author spends a certain amount of real value to publish their post, and people who interact with it automatically get paid some small portion of that value. I'm not sure this couldn't be gamed by bots though, and would require a custodial service to hold/disburse the sats.
you see... the network does ultimately have to make a cost for publishing.
i think penultimately downloading content will need this too. requesting content from relays can become a DoS vector.
it was my first reaction to the whole thing in the first place "spam party"...
there is people working on ways to do this on a fully trustless basis over LN but i am betting on my own solution, which is indra, which enables paywalling for in- and out-bound traffic into the network, and uses microtransactions and tiny prepaid sessions. the side benefit of indra is privacy, so i think that since privacy helps security it has the best cost/benefit ratio.
just wish i could dedicate the time and effort to work on it, and that probably means courting investors first of all, neither of which i have as a luxury right now.
Send me a link, it sounds interesting
https://github.com/indra-labs/indra
i haven't done anything on it because i need to prioritise getting a steady income right now, the period of sponsorship to develop it evaporated last month, a month sooner than i expected.
You really think someone would make an ASIC for a small social POW? Or are you meaning if you used Bitcoin hash to do it — in that case I agree, you are right that my first random suggestion for that is already broken because of widely available old mining hardware.