well, if you saw the logs of your relay constantly telling you some dumbass keeps on trying to publish events, gets ok,false,"auth-required:" and ignores it and publishes another, and another, and another, all from the same IP, you'd get it.

my relay is decoding that stupid event, verifying its signature, and then telling the client it has to auth. so, it does it 3 times, that client is being ignored for 10 minutes. it's not going to be humans doing this, it's publishing other people's events at a rate of like 2-3 per second.

think about the load that's putting on my relay when i'm following the protocol and telling them to auth first and the client is just blasting at me.

whoever built the blaster thing that's doing it, needs to be slapped upside the head

also, i'm rejecting this idea you can control spam with just no auth and ... what do you propose is going to be the method of deciding? whitelist? ah but muh onburding. blacklist? ever wanted to play whack a mole without a prize?