Oddbean new post about login | logout Not particularly difficult, but it becomes a game of attrition for the attacker, where they will now have to burn money for every domain they use to spam with. Whereas roating IPs on aws incurs no additional cost other than provisioning time. Freenom domain TLDs could be used to avoid paying, but wildcarding those TLDs could be done.
I think this reasoning vastly underestimates how many free or dirt-cheap options there are out there. In my opinion, NIP-05 verification is a band-aid measure at best. We can’t blacklist all free or cheap top-level domains without impacting a lot of legitimate Nostr users. For instance, are relay operators willing to blacklist free NIP-05 services like Nostrum, zaps.lol, Nostrcheck.me, etc.? Because we live in a ChatGPT/Claude world, and script kiddies can easily mass-register using a combination of these services.
Then why isn't Mastodon getting spammed this badly?
You know the answer better than I do Alex. ActivityPub and Nostr are different beasts. There’s still plenty of spam on ActivityPub, but historically, if someone uses a Mastodon, Rebased, or whatever server to mass-register bots and spam the network, the server under attack will be defederated faster than you can say "moderation." I’m not saying that Mastodon is failsafe, by the way. There are plenty of unpatched vulnerabilities being exploited. Luckily, "ReplyGuy" doesn’t have thr hots ActivityPub at the moment. Still, my point stands: NIP-05 verification only requires someone to post a nostr.json somewhere. The equivalent Mastodon "link verification" feature isn’t what’s stopping Mastodon servers from getting hammered.