Here is how I made it do the logic of "valid nip05 OR proof-of-work": https://gitlab.com/soapbox-pub/gleasonator-policy/-/blob/main/mod.ts?ref_type=heads#L33-41

(I also temporarily whitelisted a few VIPs with npubs. But they will be doing proof-of-work soon.) 

 what about folks with no NIP-05?  

 Get one 

 Honest question: given that spammers are already using AWS to rotate IPs and LLMs to generate content, is NIP-05 verification really much of a deterrent? How hard or expensive is it to serve JSON with a pubkey from a bunch of random domains? 

 Wouldn't random domains get significantly more expensive and easier to block? 

 It depends. Are we willing to blanket ban onion addresses? GitHub Pages? Free NIP-05 services? All sorts of other free or dirt-cheap hosting and serverless "worker" options? I can think of a gazillion different ways to serve NIP-05 JSON for free or very little cheap, and blanket banning some of them would certainly impact legitimate users. 

 I'm not sure, maybe.
For the Ditto model it might be perfect to give those administrating their site the choice. Ditto's use case is about using Nostr to grow a community, so might be perfect there. 

For everyone else it still sounds pretty good though. Especially if you can choose which domains to block. Though I don't really understand PoW and and spam mitigation. I need to look that up. 

 Not particularly difficult, but it becomes a game of attrition for the attacker, where they will now have to burn money for every domain they use to spam with. Whereas roating IPs on aws incurs no additional cost other than provisioning time.

Freenom domain TLDs could be used to avoid paying, but wildcarding those TLDs could be done. 

 I think this reasoning vastly underestimates how many free or dirt-cheap options there are out there. In my opinion, NIP-05 verification is a band-aid measure at best. We can’t blacklist all free or cheap top-level domains without impacting a lot of legitimate Nostr users. For instance, are relay operators willing to blacklist free NIP-05 services like Nostrum, zaps.lol, Nostrcheck.me, etc.? Because we live in a ChatGPT/Claude world, and script kiddies can easily mass-register using a combination of these services. 

 Then why isn't Mastodon getting spammed this badly? 

 You know the answer better than I do Alex. ActivityPub and Nostr are different beasts. There’s still plenty of spam on ActivityPub, but historically, if someone uses a Mastodon, Rebased, or whatever server to mass-register bots and spam the network, the server under attack will be defederated faster than you can say "moderation."

I’m not saying that Mastodon is failsafe, by the way. There are plenty of unpatched vulnerabilities being exploited. Luckily, "ReplyGuy" doesn’t have thr hots ActivityPub at the moment.

Still, my point stands: NIP-05 verification only requires someone to post a nostr.json somewhere. The equivalent Mastodon "link verification" feature isn’t what’s stopping Mastodon servers from getting hammered. 

 nice, was waiting on nip05 filtering for a while, known network looks better already

had to clear the author_stats table, since that was somehow finding duplicate pubkeys there weren't multiples of
and guess my way through error: Uncaught (in promise) Error: DITTO_POLICY (error importing policy): /opt/ditto/data/policy.ts since it's currently swallowing up the underlying mess ups people might make 

 jack needs to get nip05 lol 

 @verita84 Look, I did it. 

 Great what are your relays? 

 Turns out ReplyGuy is already doing PoW. I cranked up the difficulty. 

 Lol 

 To mute the replyguy is easy on client side just add mute words to the worlds on the profile.

Amethyst has this so you just need to add GM's that he is muted.

The problem is the impersonator spam. 

 Yeah but relays don't want to retain or deliver all of these notes. 

 Yep we should do on both sides  

 How can he afford to do this at scale? 

 With PoW he can still post 2-3 times per second​, which is still enough to be persistently annoying. If we increase it so he can only spam once every 5 seconds, he will still be happy to do so, while users will suffer extreme slowness as they use the app. Basically I'm realizing PoW is not that good. A little doesn't hurt. 

 What about no NIP-05 alias? 🙄

NIP-05 is not verification of a valid identity, it's verification of a valid DNS alias!

---
nostr:nprofile1qqsyvrp9u6p0mfur9dfdru3d853tx9mdjuhkphxuxgfwmryja7zsvhqpzamhxue69uhhv6t5daezumn0wd68yvfwvdhk6tcppemhxue69uhkummn9ekx7mp0qyghwumn8ghj7mn0wd68ytnhd9hx2tcewvzaw

Please, I'm afraid I'm going to need PoW-notes in nostr:nprofile1qqs24yz8xftq8kkdf7q5yzf4v7tn2ek78v0zp2y427mj3sa7f34ggjcpzamhxue69uhhv6t5daezumn0wd68yvfwvdhk6tcppemhxue69uhkummn9ekx7mp0qyg8wumn8ghj7mn0wd68ytnddakj703s8dt .
🙏 

 So, PoW is not coming to nostr:nprofile1qqs24yz8xftq8kkdf7q5yzf4v7tn2ek78v0zp2y427mj3sa7f34ggjcpzamhxue69uhhv6t5daezumn0wd68yvfwvdhk6tcppemhxue69uhkummn9ekx7mp0qyg8wumn8ghj7mn0wd68ytnddakj703s8dt , I suppose, right?
😏

nostr:nevent1qqsf4hgggeccgkdgy8t2t9n66gthd3fhz2xw4ta82uujajksnnh0g6spz4mhxue69uhhyetvv9ujumn0wd68ytnzvuhsygzxpsj7dqha57pjk5k37gkn6g4nzakewtmqmnwryyhd3jfwlpgxtspsgqqqqqqs8egyy8