Oddbean new post about | logout
 I love when bitcoiners think they are holier than thou because they have fees and PoW, but they still can’t stop spam in blocks. At least with relays we don’t have centralized decision making or storage, and can try different approaches (pyramid relay, pow relay, wot relay, ip rate limiting relay, ai anti spam relay, whitelist relay, rawdog yolo relay) and with outbox we can weave them together in an automatic way nostr:note19hle60l5fqq3u5d8nuvm0hgdxs0nuu7wa72ms2kv586g2p90639sa55hfk 
 Who thinks they are holier than thou? 
 I’ll be here learning from the back and forth 🍿 
 And Peter is raising money so he can remove even more spam protections. 

I know you want to “do something” but reconsider spending dev time on pattern matching and other easily bypassed modifications. Best to focus limited time on a full solution. 
 where did I say im working on pattern matching? 
 Dunno, I just saw Peter’s “notes coming from certain IP addresses”. Assumed pattern matching of IP addresses. 
 There aren’t many options for public relays, if you allow notes from anyone (one of the stated goals for the public damus relay) then you basically just have ip filtering, rate limiting, and anti spam algos.

We will have a paid relay and a way to switch between paid and unpaid relays, but there still needs to be effort to keep the public one relatively spam free 
 It seems we’re exploring the bounds of a new “pick two” trilemma:

1) free to post
2) free of spam
3) free to connect with anyone 

The fundamental problem is that new users and spammers will be soon indistinguishable. LLMs will make sure that profiles are properly filled in with icons, the posts are unique, etc. 

I worry that IP filtering, rate limiting and anti-spam algos will just consume your time as you fight one fire after another and spammers quickly adapt to whatever you just did. With every fix, new users will lose visibility without recourse. 

I’m just thinking it’s best to solve the problem at the deeper level. eg. WoT plus an onboarding process for new users. 
 I don’t think of it that way, i see it as building better tools for detecting which connection sources are sending the most junk data, you can use statistical analysis based on the frequency of rate of write attempts.

content based filtering seems unlikely at this rate considering how the spam is currently operating.

I have a plan based purely on the rate of attempts, since we store that info in the rate limiter. This is fairly simple but will be even more effective once we start banning ips instead of just allowing 6 posts per minute, which still allows for a trickle of spam.

Once these tools exist other relays operators can use them. rspamd is the same idea and its extremely useful.

Im sure there will be more techniques into the future, but it’s a bare minimum for a public relay. 
 This makes sense. Spam is junk data. In order to be actually solution-focused which is what tf matters here… we don’t give the same rights to spam bots as we do real users. (Obvious to me, idk) There’s a pretty simple way to filter out the spam on a public relay level with data that is already captured. A fix it and fix it fast solution? Can someone let me know if I’m understanding this correctly? 

Rate limiting is “posts per minute” data…

And IPs would be the IP addresses of identified spammers? 

Again all happening at the client level which can be toggled between or you can simply run your own relay and sift your own data? 
 Sure, but how do you know the difference between a spam bot and a real user? 
 That I don’t know… I don’t really understand everything happened at the client level. What I do understand is that it does, in fact, make the most sense to run your own relay and everyone run their own relay for us to truly have technical decentralization.  
 It’s a really hard problem for devs because spammers can use AI to create profiles that are practically indistinguishable from regular users. The fake profiles could be filled in complete with avatars, background image, etc. 

Imagine if every post with hit with 100 replies that you’re pretty sure aren’t real but you don’t know for certain. 

Spammers will use TOR and VPNs so if relays block those, they’ll harm the privacy of real users. (Eg I’m using TOR right now)

Spammers can also target larger accounts or new users for abuse and can also flood your DMs with spam to make that unusable too. 

It’s a hard problem. No easy solutions. I’m personally in favor of the WoT model with a guided onboarding process for new users to get into the web of trust. 
 This was a really well thought out response and I appreciate it ☺️ I originally felt that WoT was ideal. Ultimately, I just believe that it should be up to the dev at the client level…. But only because I’m a freedom maxi. Your client app, your creation, your rules. The only reason it impacts decentralization, currently, is because there aren’t enough competing clients. Relays still allow for a decentralized experience… now if all clients coordinated, that is problematic for the network. That’s where it gets tricky for me because I come from places where we have events to reach consensus at a democratic level. But we can always spin up new relays and as nostr scales new clients here. So, it’s very different than most decentralized networks from my understanding. 
 Seems like this problem was already solved with Adam Back's proof of work. Read is free, but impose a physical cost to write. That cost has to be enough to make spam economically infeasible, but not so drastic as to impact anyone's ability to afford to write. The relay, client, and individual settings dictate the filter level of PoW cost to write. Some experience low or no spam, some experience higher value (more expensive) spam, some experience lots of spam... all based on preference. If the AIs create valuable enough "spam" then users will want to see it and the individuals paying to spam will be able to afford it.

For a cost example, one sat per post would mean about $7 per year for 30 posts every day.

Just making this up as I go, what are the problems with this strategy? 
 There’s nothing technically wrong with the strategy.

A few things to consider:

Spammers can also do PoW so it would slow them down but not stop them completely. Also, they could target specific accounts to focus the abuse. For example, all large accounts or only new users. 

A lot of people use their phones and PoW could have a deleterious effect on phone batteries. 🪫 

It might be better to have the PoW upfront so the “price” is larger but paid once to create the account rather than each time to send a message. Especially if there was a way to quickly blacklist their accounts everywhere. 

I’m still thinking about a WoT model where new users must be sponsored (followed) by an existing user. The nostr clients offer a few guided options on how to get “into the club”. 

Some ways of getting sponsored:

Attend a meetup / conference / real life and find an existing nostr user. 

Do a large PoW and send a DM to an existing user. 

Send a zap to an existing user. 

Etc. 
 We had that on clubhouse and it turned into social elitism 
 Curious about that. Why do you think that was? 
 We didn’t have proof of work… but we had sponsors, that’s how you got in. I got a very early clubhouse invite and it was such an ick vibe. People like thirsted for an invite?? … and then the people inside used it as leverage for control?? for what??  I wasn’t sure… because it was a madhouse environment just to feel like you were listening in on your corporate offices middle management meeting? 

And this is not the vibes for social media for divine creators… IMO 
 Great points. I agree it's not perfect, but each user could tune how much they want to slow down spammers vs not see valuable content. I like the upfront PoW cost as a further hurdle and I like the WoT / meet up layers as well. Maybe some of all of it. I suspect there is no silver bullet, but also that real Nostr users who put in the effort and PoW should have better visibility. Interesting about Gel's comment that this can turn into an elite club. Real world example in Club House.  

It will be fun to see how this evolves.
 
 I offered this solution initially in a previous and that’s how I ended up circling back but what I haven’t got an answer on is… what does PoW require here? 

Do I need to complete a CAPTCHA or do I need upgraded GPUs? And if so, how is this ever going to take down meta? 
 “what does PoW require here?”

Are you asking about how to technically implement it? 

Devs would probably need to make protocol changes to attach a hash “proof” with each message.

Each proof would have a “difficulty” meaning the computational effort required. Presumably this would be dynamically adjusted over time. 

Your phone or computer would do this in the background. All you would notice is the delay, the battery consumption, and your phone getting hot. 

Take down meta? 🤔🤷‍♂️ Does it need to? Personally, I’m happy chatting with a few freedom loving bitcoin maxis. 😊 
 Love the discussion, thank you! Sorry I wasn't more explicit, but I meant use the Bitcoin network and existing PoW protocol. In other words, every post, like, and repost would require a one or more Satoshi transaction, but imbedded in the protocol, in your client. You can acquire those sats any way you ordinarily get sats... great quality content to earn zaps, buy them, mine, etc.  
 Thank you! Okay… that is the only question I needed answered. When I think of PoW I think of a totally different environment than… your phone battery drains. 
 So, essentially worst fucking case scenario… I just need a portable battery? Sold. 
 I think that this is bigger than people understand… I think that yes, meta cannot continue to exist in the way that it does. 
 The problem with banning IP's is there could be 100 users behind a single VPN or Tor IP, and you end up banning all of them for one spammer. 
 So whats your solution? Just accept spam? 
 Use reCAPTCHA v3.
Also, post honeypots that only bots can see, and when they engave with them (which regular useds won't do as they won't see them) ban them. 
 IMHO, using recaptcha would be like using “Sign in with Google”. 
 Recaptcha would have to become a NIP since all of this happens over websockets and not basic HTTP. And then nostr clients would need to add support for recaptcha. 
 At the end of the day, vpn users are not blocked because they can use other relays. I’m trying to stop spam for users of the damus relay, if vpn users were disrupted then nostr wouldn’t be decentralized. Use a paid relay to guarantee delivery, there are no guarantees on public relays. They are heavily rate limited and spam filtered 
 Idea a) note staging/triaging relays 'noob relays': relays that accept all notes, filter spam from them and offer a concentrated remainder as a service (wot rateable, 3rd party auditable service)
Idea b) reverse auditing the timestamps of notes by an npub manually/visually (a visual representation of the time distribution may show obvious algoposting to human).  could be displayed alongside a visual representation of a word frequency analysis sourced from the npub's past N notes; perhaps deviation from typical vocabulary is a usable metric
Idea c) client sends a random bit of user data with the note.  i.e. how long did it take between final character typed and 'submit note' was clicked?  what deviation from straight line tangents were the mouse movements in the 3 seconds prior to posting?  Was the note's text copy/pasted into the note editing box, or was it typed?  Client sends just one of these bits of data to minimize making personal info public, but npubuser does not know which one will be sent, and so it is difficult to game, but helps to identify real users (and manual spammers). 
 I have a NIP proposal called Zaps for comments. Idea is: clients and relays only accept a zap as a reply, if you opted in for that note. and you’re expected to refund the zaps back if they are legit.

https://github.com/nostr-protocol/nips/pull/1483 
 This spam wars disunite the community. I agree that we need to try different options to combat spam. I would try using the relay with exclusively nip-05 accounts for example. Getting nip-05 for spammers won't be that hard, but you'll need to rent domains, distribute check marks en masse, and even after that, such domains will be easy to identify as spam/untrusted and filter. 
 Spam is a small price to pay for freedom.  My only objection is reply guy is cramping my style, how am I supposed to swoon all the nostr ladies with this bro cock blockin.  

I appreciate your efforts to mitigate this issue locally. 
 Depends on the definition of *stop*.

Responsively Resistant. Allows spamming at a cost.

Bitcoin fees are standing by, ready to *make them pay* Spammers pay, then pay, then keep paying……Eventually they run out of resources.
SATs have then flowed to miners.

On a long enough time window, fees *stop* spammers and scammers and those who censor 
 It’s an ultramarathon, not a sprint. They all eventually stop running. 
 今環境archlinuxに占領されてるので後で書くなどする 
 (国税犯則取締法)の調査がいわゆる強制調査であるのに対し、通常の税務調査は受忍義務はあるものの任意調査である。 https://ja.wikipedia.org/wiki/%E5%9B%BD%E7%A8%8E%E7%8A%AF%E5%89%87%E5%8F%96%E7%B7%A0%E6%B3%95 🔥 👍 言ってることがちょっとよくわからない RE: https://misskey.io/notes/9yapvap23aof0g1h 🎉 nostr:note19puspyuss2u78r2yf5k9gggy564tumvc4vk2pupzeys7ylgf3laq0wmqqr 😀 
 こういうのモリモリ食ってうまかった!さあ動くぞ!みたいなのができる胃がほしかった 🤔 
 こういうのモリモリ食ってうまかった!さあ動くぞ!みたいなのができる胃がほしかった 🤔 
 Destruidor de propaganda da Coreia do 🤔 🔥 Norte...po 👍 Castanhari, 🎉 PRA QUÊ 💯 
 I'm here if. 
 vmess://eyJhZGQiOiAiMTA0LjE5LjQ3LjI3IiwgInYiOiAiMiIsICJwcyI6ICJcdTdmOGVcdTU2ZmQgQ2xvdWRGbGFyZVx1ODI4Mlx1NzBiOSIsICJwb3J0IjogMjA4NiwgImlkIjogImU5ZTNjYzEzLWRiNDgtNGNjMS04YzI0LTc2MjY0MzlhNTMzOSIsICJhaWQiOiAiMCIsICJuZXQiOiAid3MiLCAidHlwZSI6ICIiLCAiaG9zdCI6ICJpcDE0LmZyZWVncmFkZWx5Lnh5eiIsICJwYXRoIjogImdpdGh1Yi5jb20vQWx2aW45OTk5IiwgInRscyI6ICIifQ== 😂 
 🤖 Tracking strings detected and removed! 🔗 😀 Clean URL(s): https://youtu.be/MIEVoulYZM0 ❌ Removed parts: ?si=qj8GXcFT9whQkM6E 
 Very much protectionism, liars and shitcoins in this picture