Thanks everyone for your⚡️s!
I think continuing to zap each other will form the basis for how Nostr survives in the long run, and how Bitcoin + lightning can become widely adopted.
There is a remote signed NIP (I think , or just something that’s possible anyway) that allows a user to ask a server perhaps to calculate the event id before it’s signed.
You can’t generate an events id before you know the exact content, as it’s part of the hash.
Potentially instead of pay to relay (either 1/sat, have a relay subscription), perhaps min POW is the other option.
At least one relay required a min POW. The issue is you lose a lot of data for things like the event reactions which may not be by clients who use POW.
Paying 1/sat to a relay instead of burning CPU for POW seems like the more desirable approach.. but PoW as a fallback is nice for anonymity.
Something interesting the latest spammer used, is this service. It’s basically a zero sign up NIP-05 service. It’s actually pretty cool.
What it does mean however is that having a NIP-05 and even being a validated NIP-05 means nothing regarding trust that can be given to a NIP-05 verification.
And just to clarify, not saying that applies to all NIP-05 domains, just that having any valid NIP-05 in of itself isn’t useful without further validation by other means.
In this case, the spammer created a kind0 metadata event and got a fully verified NIP-05 without any further effort - but their posts looked more authentic in client apps… which is something to ponder if this is app good UX.
#[0]
Ok, so for those you were keen for the latest Nostr spam ML models and training data, I've updated the GitHub repo. 92k examples with 13k labelled as spam. Sits around 98% accuracy - in practise I’ve found it eliminates all effective spam for kinds 1/42.
I still review high scoring non-spam, but under 90% to help expand the training set.
CC: #[0]
#[1]
#[2] #[3]
Kind of 🙂. I updated some connection logic to filter bots recently and some clients seem to be impacted by being unable to connect.
I just pushed an update, and seems to be working for clients I’ve just tested. Let me know if it’s connecting again.
Yep. It was mostly kind 6/7 as flood spam. But also most pubkeys had a single kind 0 too.
It could be an option. It doesn’t work for lower quantity or targeted spam.
0.000231 Satoshi/USD *1850000 spam events from this recent attack = $427.35.
Question kind of becomes the marketplace one - can someone make more than $427USD with 1.85MM events paid 1 sat/event for?
However, if they pay 1 sat/event and it still can then be filtered as spam, that would really lower the effectiveness. But again, you would need to pay 1 sat per relay you publish to.
Yep. It’s already open sourced - but I do have another ~7k spam training examples since last push. I also have a bayes Training example in a local commit which works awesome.
I’ll try push my latest commit to GitHub this weekend. Repo below.
And it’s a bit of a pain too, because it uses a pubkey for 100 events of kind 6 and 100 of 7, then rolls the pubkey.
100 reactions in an hour is a lot for a human, but not unthinkable. 100 reposts is likely a stretch.
It’s around 1.85MM events so far since 6 days ago. Not constant creation, but mostly continuous.
I think paying a small amount for storage which is cheap may be part of a workable approach. Pay $2/month for 2GB relay storage. Pay a few relays for distribution and redundancy.
But added friction to posting is still not ideal. The trade off is anyone can post including machines and machine cost to post is near zero. Twitter and others still failed and they literally had KYC.
Tor has its problems, and external funding, but it has survived.
I think we can hopefully do better than Tor, as it’s utility is devalued significantly by DDOS + performance which makes it more niche.
Not documenting, but tracking in that spam attacks are both more visible when aggregating relay data, but also potentially more bursty and annoying too.
I’ve got content based spam down to effectively 0 using ML. Just like email spam, some will slip through, but it’s pretty decent and can improve as we scale. I open sourced the training data and code - but I have an update yet to release. Obviously it has limits tho.
This attack is kind of new. It’s more just boating DBs and clogging any relay processing. And events without content, are harder to evaluate without touching the DB to query for state - I have stateless validation works at present.
There is a currently an active spam attack on Nostr that’s using kind 6 and 7s and generating around 80k spam events an hour.
Seems to mostly be targeting the Damus relay. It’s harder to filter these as rolling pubkeys with Profile meta and nip-05 - and no event content to check spam.
Really throttling and rate limiting is a good start, however we may need better methods.
It’s possible that relays could also give badges to good actors or similar to help other relays more easily detect spam. And other relays could trust certain relays for accuracy.
It may need some kind of WoT, as badges like ‘100 days without creating spam’ for a pubkey, you just lead to spam account pre-creation.
Accounts with less milestones/badges could then be more heavily scrutinised for spam (e.g more computationally expensive spam checkers, flood detecting, higher publish throttling/lower rate limits, etc). Maybe reactions/reposts are not counted in totals until they pass some gates.
It kind of flips the spam detection from being check everything to check highest risk - which can scale much better. Only downfall is how much does it impact new identities? And for how long? It’s possible it could be almost invisible.. or abused as a censorship layer.
Could be a cool gamification layer.
And if you need data, you can use Nostrcat to pull events from multiple relays and save to JSON. Then import. https://github.com/blakejakopovic/nostcat
It’s really just querying a database, but you need the data. When I first was experimenting, I open-sourced
a huge list of useful SQL queries, and database processors in Ruby with Postgres.
I’ve migrated to rust, but the basics are there and great for starting to explore Nostr data.