Dearest ReplyGuy, great big bitch, I have updated my relays to require a valid NIP-05 author, OR a proof-of-work difficulty of at least 4.
I have also released a new version of #Nostrify with this policy: https://nostrify.dev/policy/all#domainpolicy
Discussion
Honest question: given that spammers are already using AWS to rotate IPs and LLMs to generate content, is NIP-05 verification really much of a deterrent? How hard or expensive is it to serve JSON with a pubkey from a bunch of random domains?
Wouldn't random domains get significantly more expensive and easier to block?
It depends. Are we willing to blanket ban onion addresses? GitHub Pages? Free NIP-05 services? All sorts of other free or dirt-cheap hosting and serverless "worker" options? I can think of a gazillion different ways to serve NIP-05 JSON for free or very little cheap, and blanket banning some of them would certainly impact legitimate users.
I'm not sure, maybe.
For the Ditto model it might be perfect to give those administrating their site the choice. Ditto's use case is about using Nostr to grow a community, so might be perfect there.
For everyone else it still sounds pretty good though. Especially if you can choose which domains to block. Though I don't really understand PoW and and spam mitigation. I need to look that up.
Not particularly difficult, but it becomes a game of attrition for the attacker, where they will now have to burn money for every domain they use to spam with. Whereas roating IPs on aws incurs no additional cost other than provisioning time.
Freenom domain TLDs could be used to avoid paying, but wildcarding those TLDs could be done.
I think this reasoning vastly underestimates how many free or dirt-cheap options there are out there. In my opinion, NIP-05 verification is a band-aid measure at best. We can’t blacklist all free or cheap top-level domains without impacting a lot of legitimate Nostr users. For instance, are relay operators willing to blacklist free NIP-05 services like Nostrum, zaps.lol, Nostrcheck.me, etc.? Because we live in a ChatGPT/Claude world, and script kiddies can easily mass-register using a combination of these services.
Then why isn't Mastodon getting spammed this badly?
You know the answer better than I do Alex. ActivityPub and Nostr are different beasts. There’s still plenty of spam on ActivityPub, but historically, if someone uses a Mastodon, Rebased, or whatever server to mass-register bots and spam the network, the server under attack will be defederated faster than you can say "moderation."
I’m not saying that Mastodon is failsafe, by the way. There are plenty of unpatched vulnerabilities being exploited. Luckily, "ReplyGuy" doesn’t have thr hots ActivityPub at the moment.
Still, my point stands: NIP-05 verification only requires someone to post a nostr.json somewhere. The equivalent Mastodon "link verification" feature isn’t what’s stopping Mastodon servers from getting hammered.
jack needs to get nip05 lol
Great what are your relays?
Turns out ReplyGuy is already doing PoW. I cranked up the difficulty.
Lol
To mute the replyguy is easy on client side just add mute words to the worlds on the profile.
Amethyst has this so you just need to add GM's that he is muted.
The problem is the impersonator spam.
How can he afford to do this at scale?
What about no NIP-05 alias? 🙄
NIP-05 is not verification of a valid identity, it's verification of a valid DNS alias!
---
Please, I'm afraid I'm going to need PoW-notes in nostr:nprofile1qqs24yz8xftq8kkdf7q5yzf4v7tn2ek78v0zp2y427mj3sa7f34ggjcpzamhxue69uhhv6t5daezumn0wd68yvfwvdhk6tcppemhxue69uhkummn9ekx7mp0qyg8wumn8ghj7mn0wd68ytnddakj703s8dt .
🙏
So, PoW is not coming to nostr:nprofile1qqs24yz8xftq8kkdf7q5yzf4v7tn2ek78v0zp2y427mj3sa7f34ggjcpzamhxue69uhhv6t5daezumn0wd68yvfwvdhk6tcppemhxue69uhkummn9ekx7mp0qyg8wumn8ghj7mn0wd68ytnddakj703s8dt , I suppose, right?
😏