Oddbean new post about login | logout I see people claiming that a single solution solved all spam issues, but in reality each solution has different tradeoffs. Web of Trust has lots of collateral damage. You filter out legitimate posts from people completely outside your circles. I would hate to lose that. The best anti spam will likely be a combination of anti spam algos and WoT, allowing people outside your circles if the message doesn’t trigger your spam algo. Lightning is effective as well, but not everyone uses that.
Rate limit notes will help
Yeah we do that on the damus relay, it slows down attackers a lot
👍🏻
I'm really excited to see how different clients and relays choose to tackle this issue. The flexibility and competition will probably find the best combination. Having personal control over how it's filtered is a huge win for users as well.
WoT relays are just a bandaid, it's very crude, definitely not the final form
Proof of work :eyes:
Spammers with infrastructure are better at PoW
But don't you think that a small proof of work would be a small work for every client. But a big work for a spammer, which sends 1000 Messages per second. Therefore could work out. But I like your conservative view on this topic. Rather seeing some spem then remove all with lots of human post within the filter.
“Better”? Did you mean “way better”? 😂
ya
my PoW miner was pushing about 70MH/s on a 7950X. It had no SIMD and no cache optimization. I haven’t even implemented SIMD or CUDA yet.
I think you would have to calculate watts required for average joe sending out 1 reply per 10 seconds from an 8 year old phone say a google pixel 1 or an iphone 8 and a spammer having to send out several thousands per seconds on optimized infrastructure (in which they'd have to invest as well) I'm not sure what the numbers are here and maybe the spammer wins out in efficiency but running a 7950 whatever costs you several hundreds of watts while still having to invest in the hardware an energy. It all boils down to if they can turn a profit from it or not in the end.
dynamic PoW related spam prevention (fee vs pow) discussion: https://github.com/monero-project/research-lab/issues/119#issuecomment-2058822967 https://github.com/Gingeropolous/txsim
How sure are we that they have CPU performance to that level?
Proof of Work can be done in a way that is extremely expensive to scale - see Argon2 or RandomX algorithms. Basically, the idea is to resist ability to offload computation to GPU/FPGA/ASIC. Without them and with a memory-intensive algorithm, cost of an attack grows fast.
That is the folklore, but theres no reason you couldn’t make an ASIC for any “asic resistant “ algo
Yes, but in the meantime whilst they plan out their fabrication for such an ASIC we can have a win. So, I don't think it is a bad take. We're making this spammer sound like an overlord with abundant resources.
ASIC are good as long as you don't need hefty amount of RAM, as it is for Argon2. See this paper: https://www.cryptolux.org/images/0/0d/Argon2.pdf Basically, the point of memory-hard hash function is to make parallelization done by ASIC expensive due to memory usage.
What does lightning have to do with this?
You could use zaps to improve the spam score of a pubkey. If you’ve received a zap total above a certain amount you could use this as signal that they are not a spammer.
Extremely easy to game though. It wouldn’t even really cost the attacker, because they’d just be zapping themself.
Well zapping yourself wouldn’t work. I would only count zaps from someone else to yourself. You can’t game that.
What do you mean? The attacker could just zap from a new nsec per zap. Maybe I’m missing something though. I thought lightning payments were kinda sorta anonymous like that.
Zaps are receipts of lightning payment. If they are paying me money to improve their spam score then fine, but if they start spamming with that key I can just mute them and then they have lost money
The attacker sends one zap per nsec to an account they want to spam with, many times. They lose basically no money because they own the wallet receiving all the zaps. The Lightning Network is designed to be private. Given a bunch of different lightning payment receipts, can you really tell whether or not they all came from the same person?
What you’re saying makes no sense, if they want to spam me for instance, they do not own my wallet. Are you describing a scenario where they are spamming themselves? Huh?
At the end of the day, my nostrPubkey on my lnurl endpoint says to only trust zaps from my lightning node. I can use this to trust that the zaps I receive are legit. Zaps are tied to sender pubkeys. If i see a zap from someone, then I know that person initiated the zap and most likely paid the zap. I can use this to improve that pubkeys spam score. If they are a spammer and send me 10000 sats to pass my filter and start spamming me, then I can just mute that key and they have to send me another 10000 sats to try again.
I am describing a scenario where the spammer spams everyone they possibly can, en masse. Any algorithm that tries to filter out the spammer’s notes based on checking if the spammer has been zapped enough time by “peers” would be fooled, because the spammer would have been zapped many times over (and it would look like other people zapped him).
Ok, i suggested an algo that works, your suggesting an algorithm that is broken and doesn’t. Don’t use that algo? In my scenario, it would block a mass spammer because they would have to zap every single person they are spamming which would be very costly.
Isn’t your proposed algorithm susceptible to the exact same shortcoming of WoT then? ie. Nobody would be able to see new users. And even if these new users zapped you specifically, they’d still remain invisible to everybody else using the same algorithm.
Hmm, wouldn't they just be able to shuffle around some zaps over different npubs of which they are both sender and recipient? Seems very easy to circumvent. i would argue that PoW (challenging your answer on another reply) requires an absolute penalty on spamming, but the penalty might be too low for a spammer while also being too high for new users. While PoW on a single post is not so high, using it to send out thousands of replies would cost a lot of energy and therefore a lot of money.
Spamming will stop when relays are pay to post. That can be offset by zap to like. It's gonna be hard to reset the standards. New users will flock here when their activity will be rewarded.
That basically makes it that you have to be a bitcoiner to use nostr which is not very open
You say that like it's a bad thing.
OR... Perhaps you could just sublimate those elements within a client.
Has Saylor's idea of posting a small amount of Bitcoin collateral to your profile been tried yet?
Nah but I think zaps contributing to a pubkeys spam score would be a great solution
the way this was done at odysee called boosting and anyone could stake coins without leaving their wallets to any other post/user and that ranks up the score, not sure if a mechanism like this is doable with LN/zaps so you don't need to send coins but can keep boosting different npubs or withdraw and spend the coins when not needed anymore
Interesting. Almost like a publicly verified identity based on value or contribution to the social network?
I quite like dooty nostr:nprofile1qqsg73x9vycmxcnx3v8qr05vwxey0pje3wmglwgfeltcl2lmqkxapuqpz3mhxue69uhhyetvv9ujuerpd46hxtnfduq32amnwvaz7tmjv4kxz7fwd4hhxarj9ec82cspzpmhxw309a6k6cnjv4kr5dpcxsuqe7whac's suggestion of a POW relay set to 10 or something. I know nothing. But is this an actual usecase for nip05? Like filter out anyone without one? (Again you won't see the notes saying how do I get a nip05 lol). But also... Can a spam attack just make nip05s very easily?🤔
also, for people interested in the zaps/cashu/lightning route for spam, i think using PoW underneath is much better. imagine we have people that provide a good hashrate and you give them 21 sats for a note of 35 bits or something.
sha256 pow is so optimized and built out already though. One spammer with an asic would make this method moot.
that’s what i’m saying: imagine you pay 21 sats to someone with an optimised ASIC(?)/GPU set-up, to do the proof-of-work for your note and then you sign it. and a PoW provider can be interacted with in many different ways (doesn’t have to be a lightning payment), which doesn’t make us rely on something niche which most new users aren’t get be set up with.
What if you could somehow provably burn 21 sats?
I feel like WoT is pretty great and the DVM feeds and Blindspots in #nostrudel Discover tab fill in the gaps. I'm sure you devs will keep coming out with new stuff. Seems like relay dev ops are quickly becoming more important
I was using relays that had WoT and I was losing posts from people I follow and they follow me, once I removed it I saw them again. It was bizarre. (
Agree. There won't be a perfect solution and most likely we'll have a combination of several solutions that works for most people. The key, IMO, is to not alienate new nostriches. They need the most help here.
I think it is worth to add that no solution will eliminate 100% of spam. Well, you can filter 100% spam only if you are not accepting any event at all, which is not practical approach. The key is to filter most of the spam and leave only small amount of false-negatives (spam that made it to your feed) in favor of not having false-positives (legitimate event/post being blocked/filtered) at all.
WoT suits me just fine. I'm not even sure I want to hear from my friends friends! For Derek and IIRC Jack, they want to see and greet new people. So absolutely "each solution has different tradeoffs" and we should empower users to choose the tradeoffs that suit them best.
I'm outside any circles, am I a ghost now?
