Honest question: given that spammers are already using AWS to rotate IPs and LLMs to generate content, is NIP-05 verification really much of a deterrent? How hard or expensive is it to serve JSON with a pubkey from a bunch of random domains?
Dearest ReplyGuy, great big bitch, I have updated my relays to require a valid NIP-05 author, OR a proof-of-work difficulty of at least 4.
I have also released a new version of #Nostrify with this policy: https://nostrify.dev/policy/all#domainpolicy
Discussion
Wouldn't random domains get significantly more expensive and easier to block?
It depends. Are we willing to blanket ban onion addresses? GitHub Pages? Free NIP-05 services? All sorts of other free or dirt-cheap hosting and serverless "worker" options? I can think of a gazillion different ways to serve NIP-05 JSON for free or very little cheap, and blanket banning some of them would certainly impact legitimate users.
I'm not sure, maybe.
For the Ditto model it might be perfect to give those administrating their site the choice. Ditto's use case is about using Nostr to grow a community, so might be perfect there.
For everyone else it still sounds pretty good though. Especially if you can choose which domains to block. Though I don't really understand PoW and and spam mitigation. I need to look that up.
Not particularly difficult, but it becomes a game of attrition for the attacker, where they will now have to burn money for every domain they use to spam with. Whereas roating IPs on aws incurs no additional cost other than provisioning time.
Freenom domain TLDs could be used to avoid paying, but wildcarding those TLDs could be done.
I think this reasoning vastly underestimates how many free or dirt-cheap options there are out there. In my opinion, NIP-05 verification is a band-aid measure at best. We can’t blacklist all free or cheap top-level domains without impacting a lot of legitimate Nostr users. For instance, are relay operators willing to blacklist free NIP-05 services like Nostrum, zaps.lol, Nostrcheck.me, etc.? Because we live in a ChatGPT/Claude world, and script kiddies can easily mass-register using a combination of these services.
Then why isn't Mastodon getting spammed this badly?
You know the answer better than I do Alex. ActivityPub and Nostr are different beasts. There’s still plenty of spam on ActivityPub, but historically, if someone uses a Mastodon, Rebased, or whatever server to mass-register bots and spam the network, the server under attack will be defederated faster than you can say "moderation."
I’m not saying that Mastodon is failsafe, by the way. There are plenty of unpatched vulnerabilities being exploited. Luckily, "ReplyGuy" doesn’t have thr hots ActivityPub at the moment.
Still, my point stands: NIP-05 verification only requires someone to post a nostr.json somewhere. The equivalent Mastodon "link verification" feature isn’t what’s stopping Mastodon servers from getting hammered.