WingNews logo WingNews GitHub [2]
top | item 31573854

Ask HN: Has Cloudflare blocked your domain without explaining what's going on?

335 points| malikNF | 3 years ago

I had transferred the domain from Namescheap to cloudflare because I had heard good things about them on here. Everything was working well (Mainly use this domain for my personal emails) and now nothing is working no warnings, nothing.

I contact cloudflare support and they transfer me over to their "Trust & Safety" team.

This is the response I get.

------

` Hello,

Your account violated our terms of service specifically fraud. The suspension is permanent and we will not be making changes on our end.

Regards, Cloudflare Trust & Safety `

-----

What the heck is that supposed to even mean? Has anyone else had any way to deal with this sort of issue? Anyone from cf lurking here who can help me please? This is my personal domain and a lot of my other accounts are attached to this. Like what am I even supposed to do here ?

192 comments

order
[+] malikNF|3 years ago|reply
Update: Just received an email from CF.

--------------

Hello,

With regard to your inquiry, we have restored the domain names in your account to active status. Please allow for normal propagation. You will need to re-add mnf90.com to your account in order to manage it. Our apologies for any inconvenience this may have caused.

Kind Regards, Cloudflare Trust & Safety

------------

Not much info lol, but guess its fixed now?

Thanks HN for up-voting my post and helping me get the attention of CF. Time to go figure-out how not to get in to this situation again, and a way to mitigate this incase the AI gets angry again. Funniest thing about this is, I wanted my own email because I was afraid of this scenario, getting locked out of everything, what happens if big G or M decide to close my account down?

Again, thanks HN. Really appreciate you folks for helping me get the attention.

[+] akersten|3 years ago|reply
You keep framing this as "how do I make sure I don't get into this situation again," but with the attention this is getting (#6 on HN) and just how bad the issue is (both functionally and PR-wise)... Cloudflare should really do a public post-mortem here. It sounds like it's their fault.
[+] malikNF|3 years ago|reply
Update 2:

-----------------------------

Helo,

To clarify the issue, this account was identified in a recent fraud review, however it appears to have been a false positive. We have left a note in this account for future reference.

Kind Regards, Cloudflare Trust & Safety

[+] devoutsalsa|3 years ago|reply
> The suspension is permanent and we will not be making changes on our end.

"J/K LOL"

[+] srrr|3 years ago|reply
If you live in the EU the article 15 of the GDPR grants you the right to ask about the details. Often companies reply that they don't need to answer because of ¨security¨ but this is not true. You can in detail ask about ALL personal data that was used as an input for this decision, information about the ¨automated decision-making¨ (algorithm), and all personal data that resulted out of this process. https://gdpr.eu/article-15-right-of-access/

If any of this data is false you have the right to rectification. https://gdpr.eu/article-16-right-to-rectification/

[+] thaumaturgy|3 years ago|reply
FWIW I also had a recent experience with Cloudflare "Trust & Safety" and it was my first negative Cloudflare experience, unfortunately.

A client-of-a-client had their site reported to CF for malware distribution via Netcraft. I reviewed the site and found nothing unsual-looking. I dug out a month's worth of access logs for the site, carefully filtered them, and then eyeballed all of the tens of thousands of remaining lines, and again, nothing unusual. No sign whatsoever that the site had ever distributed any malware.

There were signs that the site had been probed a number of times by one or a few bad actors, a bit more than just the usual background scanning. Best guess was that, having failed to take the site down through direct means, somebody filed some fraudulent reports against it.

DigitalOcean also received a report on the site, and that's where the difference in handling the issue really became apparent. I sent essentially the same response to both DO and CF. DO sent back a quick, "thanks for taking a look at it, we're not going to take any action at this time, have a nice day" response.

Cloudflare on the other hand pre-emptively took the site down and then took a while to reply at all. When they did, the reply was extremely opaque: "this report has been processed". Like, okay... and?

I had by that time already routed the site off of Cloudflare and had it back online, so the impact was minimal, but now that I know what it's like to deal with this category of issue at Cloudflare, I have to ensure that it's always easy to take anything off of Cloudflare. I love Cloudflare generally, so this is really disappointing.

[+] throwawayforcf|3 years ago|reply
My only interaction with cloudflare's "Trust and Safety" team involved reporting a site using their services, and that site hosted a large archive of child pornography [1], for which I provided a sizable chunk of evidence, which would have let them easily verify my claim.

All I got back was a canned response that cloudflare is not actually hosting anything and cannot do anything and will forward my complaint to the ISP that really hosts the website.

Replying back to that email, asking whether they couldn't at least close the cloudflare account in question, I was greeted with exactly the same canned response again.

Responses form law enforcement I tried were also rather underwhelming, but that isn't cloudflare's fault.

This was a while ago, and it all was rather discouraging. And I can only hope they got their act together now...

But I guess not. I just checked, and the site is online again, under the same domain, and using cloudflare again. I'll report them again now, I think.

[1] Including a lot of the child porn this UK blackmailer had traded and sold: https://www.bbc.com/news/uk-england-birmingham-59614734 The site I reported was re-selling the stuff for crypto or gift cards, with a lot of free samples.

Now you may wonder why in hell I would even know about any of this. I used to be a small time moderator on a small time website where some of our users shared some of the content/links to the content.

[+] doctor_eval|3 years ago|reply
Isn’t CloudFlare’s whole schtick about keeping you online? Requiring you to deploy technical means to deal with your domain name being automatically thrown under a bus by their AI seems like the exact opposite of what I’m looking for.

Does this only affect free accounts? Do you at least get an account manager for escalation if you pay?

Honestly, this whole thing of scaling service abuse handling through AI is a dumpster fire.

[+] malikNF|3 years ago|reply
>I have to ensure that it's always easy to take anything off of Cloudflare. I love Cloudflare generally, so this is really disappointing.

This line pretty much echos my attitude to cf going forward. Come to think of it, not just CF guess its going to apply to every company I deal with going forward. Although it sounds good in theory, wonder how hard it is going to be to apply this on every situation I rely on a 3rd party company.

[+] ehvatum|3 years ago|reply
Huge thanks for taking the time to post this. I am working with clients who are disrupting Chinese imports for things more easily made here, and the number one concern is bad actors using any easily available digital means to interrupt operations. DO sounds like the way to go.
[+] null_object|3 years ago|reply
I can’t believe how lightheartedly you are taking this. (edit: I guess your initial reaction when the domain was reinstated was probably a bit of euphoria).

This faceless corporation simply took away your property without explanation or warning, and didn’t even feel any obligation to explain why.

For many people the consequences might have been losing their own or even their family’s source of income.

Their behavior was despicable and callous.

When did these tech companies start thinking they were all-powerful and above the law like this?

[+] malikNF|3 years ago|reply
> I can’t believe how lightheartedly you are taking this.

What is the alternative though?

The web has turned in to this massive mess where most of us don't have the ability to do anything without having to rely on some ban happy mega corp.

Even something that was built to be decentralized like email has turned in to a (sort of) centralized architecture, try hosting your own email, everything goes in to spam.

Host a website and piss off some kid with $5 to spare, you get ddosed.

The web is owned by the big corps, as long as everyone of us come together and fix this it will be a very long time (if ever) before we have a truly decentralized internet.

So yeh, the only option I have is to take this lightheartedly and move on.

[+] mise_en_place|3 years ago|reply
It would never happen in a real enterprise like AWS. Cloud flare is small potatoes compared to Amazon.
[+] sph|3 years ago|reply
> The suspension is permanent and we will not be making changes on our end.

Someone else in this thread explained this as "they're flat up holding it hostage until it's publicly available for anyone to register."

I will not do business with companies whose word is final, with no explanation and no recourse whatsoever, unless you shout loud enough that someone higher up the org tree decides to figure out what has happened. Especially when the decision actually comes from a fallible, subpar automated system. Fuck that dystopia. Shameful behaviour, Cloudflare.

[+] hda2|3 years ago|reply
Same here. Domains are the only thing I can't replicate or make redundant. If there is ANY risk of me getting locked out of my domains without even the possibility of transferring the domain away to another registrar, then I'm gone.

Bye, cloudflare.

[+] Sephr|3 years ago|reply
If I had to guess, the OP's payment method is specifically what got flagged, resulting in the domain being blocked.

See https://community.cloudflare.com/t/domain-not-working-after-... where someone who appears to the be OP mentioned that CloudFlare auto-refunded some charges.

CloudFlare should still post a public postmortem as to how this user got wrongly flagged (excluding any personal info). The OP has already consented to this: https://news.ycombinator.com/item?id=31574656

[+] malikNF|3 years ago|reply
Yep, that's me. It's linked to my personal credit card from RBC bank Canada which I pretty much use for everything else. Haven't seen anything from my banks as well. I just see the refund in my account.

Lets hope cf would tell us what exactly happened and why they were so aggressive and why there was no warning to let their customers prepare before they decided to do this.

[+] eins1234|3 years ago|reply
Wow, that's terrible. Thank you for the heads up. Just transferred my domains back to namecheap.

While we're all here venting about Cloudflare, is anyone else frustrated about how they lure you in to their CDN product with "free" bandwidth, but then lock behind so many useful features arbitrarily behind what I can only imagine is a thousands of dollars per month enterprise plan? Just look at their cache-purging page for an example of this, everything other than basic purge by URL is enterprise only: https://developers.cloudflare.com/cache/how-to/purge-cache/

These days Cloudflare is literally my last choice for a CDN for my new projects, and I try to warn against others considering using it. My new go-to is bunny.net, who charges a reasonable usage-based fee for bandwidth and gives you unfettered access to all the features they've built. Though I'd even reach for Cloudfront with their expensive bandwidth costs these days, because at least their pricing is transparent and scales smoothly with usage, and they don't arbitrarily cut you off from useful features.

Even their bandwidth might not really be "free", since I've heard if you actually use any significant amount, the sales people will come knocking on your door to coerce you to get on the same enterprise plan or have your site taken down.

[+] xxdesmus|3 years ago|reply
Hello, I'm the Head of Trust & Safety. Please forward me the email? This is very likely legitimate and from our team, but I'd like to confirm. justin@ cloudflare.com
[+] bxparks|3 years ago|reply
I recently transferred my domains from Google to Cloudflare precisely to avoid being terminated by Google's false-positive AI. Now Cloudflare is pulling the same stunt? Is there anything you can say to reassure your customers? Or do we need to find another registrar?
[+] johnklos|3 years ago|reply
Hey, Justin... Perhaps you can explain why this happened in the first place while also explaining why you ignore complaints about tons of spammers and scammers that are hosted(note) on your platform?

(note) hosting is providing services on the Internet without which a site / domain won't work, so please don't try to pretend you don't host because you've decided to redefine "hosting".

[+] donmcronald|3 years ago|reply
It’s very disappointing to see the same old big tech false positive “no appeals” failure from Cloudflare. I’m extremely bullish on Cloudflare because I think the way Pages/Functions work with framework adapters is a compelling solution.

Why can’t anyone come up with a solution that keeps this kind of thing from happening? How much does it cost to phone someone before potentially ruining their life and why can’t we simply pay money for that option?

[+] heretogetout|3 years ago|reply
If malikNF consents, would you share your findings here? It's concerning you can be banned without so much as a brief sentence explaining why.
[+] shkkmo|3 years ago|reply
This was a false positive that was upheld through at least one round of human review.

That is incredibly concerning for your existing customers. Is there anything that legitimate users can do to premptively verify their accounts so that they atleast can't get taken down without human review?

[+] animuchan|3 years ago|reply
This is terrifying, as I've transferred my domains to you some time ago.
[+] sascha_sl|3 years ago|reply
I know this sounds very cynical, but there's something funny about a company doing this automated trust and safety with zero recourse spiel while being entirely okay with hosting sites where people are bullied into suicide because we can't just deny service to technically legal websites as a pseudo public utility.

Pick a lane.

[+] cookiengineer|3 years ago|reply
^ kinda right, you know.

As long as kiwifarms and others are hosted behind cloudflare, this statement is true.

[+] pessimizer|3 years ago|reply
Good point, but fraud and theft are different than being unpleasant or cruel.
[+] herpderperator|3 years ago|reply
> Your account violated our terms of service specifically fraud.

Honestly, this phrase is raising phishing alarm bells in my head, though xxdesmus said it's `likely legitimate`. The punctuation and capitalization is lacking, and really makes it sound... off.

Edit: I originally thought this was an email, but upon reading the post again it sounds like a response to OP's support ticket. There's a lot less effort involved in responding to a support ticket or chat message than the effort involved in writing up email templates, so my point doesn't quite apply here.

[+] janejeon|3 years ago|reply
Yeah, the lack of comma, and the phrase "specifically fraud", are extremely alarming to me.

I understand that not all developers are native English speakers, but far more scammers are non-natives than devs are; not to mention, there are likely checks in companies like this to proofread any text before it goes "live".

[+] ab-dm|3 years ago|reply
Ever since CF went public, their support quality has fallen off of a cliff. It's really sad to see as they have a great service, and especially recently have built some amazing stuff. I just don't understand why humans helping humans has become so much of a thing to avoid.

Yes it's tricky, and it doesn't scale well, but that's the price you pay when working with people.

Glad that there was a good outcome, but very sad to see it took getting on Page #1 of HN to be resolved.

[+] nonrandomstring|3 years ago|reply
This sounds like a phishing expedition to provoke you into rash action. Pause. Take a breath. Don't click anything. Try to contact the company via a safe secondary channel like landline telephone and start by politely verifying if they've contacted you by email for any reason in the recent past.

If it really is from Cloudflare then they are trash beneath contempt and you should extricate your interests as fast as humanly possible.

[+] malikNF|3 years ago|reply
It is actually from cloudflare. When I stopped receiving emails I checked my cf dashboard and figured something was wrong.

So I opened a support ticket and someone from their support team closed the ticket and said their safety team will respond to me.

Few mins later I got an email from them with the content in the original post.

[+] agentdrtran|3 years ago|reply
All of Cloudflare's actual abuse emails look like phishing emails. They told me to email credit card and my Gov't ID in plaintext to them.
[+] RainaRelanah|3 years ago|reply
Did you have any other domains on the account, or shared access with other accounts?

I hate how legal has forced every trust & safety team to just blanket reply "You were banned. We won't tell you why. We won't overturn. Go away." It's absolutely impossible to contest without public attention or legal action, and is often just a simple mistake.

[+] anderspitman|3 years ago|reply
Hope you get it figured out.

This is an example of why it's a good idea to keep your domain registrar separate from as much else as possible. The more services you use from a company, the more surface area there is for your account to get inadvertently flagged, and the bigger impact a suspension will have.

[+] wanderingmind|3 years ago|reply
Once you transfer your domain out, make sure to take them to arbitration since you must have paid for their services. The more people take these orgs to arbitration, the more fearful they will become of making such blanket blan. There was a recent post on HN about arbitration [1]

[1] https://news.ycombinator.com/item?id=31567673

[+] tyingq|3 years ago|reply
The biggest deal to me is here is no escape hatch. If Cloudflare decides they don't like me, fine. But give me a button-press way to transfer my domain out, immediately, then. No asking, no waiting. You ban me, you crack open that functionality at the exact same time and link to it in your "we don't like you anymore" email.
[+] social_quotient|3 years ago|reply
Seems like removing a site and accusing it[owner] as fraudulent would be some sort of slander/defamation and require a lot more proof and/or liability should they be wrong.

The ai world should have some penalty for being wrong to discourage this sort of behavior in a punitive way. This would dissuade companies from scaling before things are really ready.

Thoughts?

[+] groffee|3 years ago|reply
At this point we should just rename HN 'cloudflare support'.
[+] yumraj|3 years ago|reply
Oh for F's sake..

I had moved my domains from Google to CF sometime ago, assuming my emails etc. are protected, and now this.

Honest question: What is a good registrar? I used to use Namecheap in the past and have nothing against them.

Unfortunately, unlike other things I cannot self-host a registrar.

Thoughts? Suggestions?

Edit: TBH, I find this wording rather rude "The suspension is permanent and we will not be making changes on our end." especially for a paid product.

[+] irthomasthomas|3 years ago|reply
How can a "suspension" be permanent? It is by definition temporary. I hate this timeline. If they keep inverting the meaning of words, soon nothing will make sense.
[+] teraflop|3 years ago|reply
> Like what am I even supposed to do here ?

Not meaning to diminish your (quite reasonable) frustration, but is Cloudflare preventing you from transferring your domain somewhere else?