Archived link

Research into websites that are openly advertising services to a cybercriminal audience, such as bulletproof hosting, reveals that many of these domains are supported by Cloudflare’s services, the NGO Spamhaus says.

For years, Spamhaus has observed abusive activity facilitated by Cloudflare’s various services. Cybercriminals have been exploiting these legitimate services to mask activities and enhance their malicious operations, a tactic referred to as living off trusted services (LOTS).

With 1201 unresolved Spamhaus Blocklist (SBL) listings, it is clear that the state of affairs at Cloudflare’s Connectivity Cloud looks less than optimal from an abuse-handling perspective, Spamhaus writes on its website. 10.05% of all domains listed on Spamhaus’s Domain Blocklist (DBL), which indicates signs of spam or malicious activity, are on Cloudflare nameservers . Spamhaus routinely observes miscreants moving their domains, which are already listed in the DBL, to Cloudflare to disguise the backend of their operation, be it spamvertized domains, phishing, or worse.

    • garrett@infosec.pub
      link
      fedilink
      English
      arrow-up
      2
      ·
      5 months ago

      It’s a bit more about how miserable it is to work with Cloudflare and their unwillingness to remove abuse in general, opting to say they’re “not the host” and that they cannot tell you where it is but they cannot do anything. It’s hardly an ethical decision to say that phishing and bulletproof hosting aren’t the bedfellows you want.

        • garrett@infosec.pub
          link
          fedilink
          English
          arrow-up
          1
          ·
          edit-2
          5 months ago

          There’s a balance to be struck here but Cloudflare is truly the most miserable entity I have to work with from an abuse perspective. They’re not necessarily “ignoring” warrants but most phishing doesn’t get reported with a legal takedown request. In those cases, Cloudflare will be almost intentionally obtuse. I’m happy to outline the misery of a host working with Cloudflare but it’s not necessarily important to this. TLDR; Cloudflare takes steps that don’t make sense for its “we’re not responsible” stance while also having zero automation in the year of our lord 2024.

          I suppose everything could be a legal request but that just makes the whole process so infinitely worse for NGOs like Spamhaus and only serves to make lawyers excited that their consultation fees are going up. I see that the laziest pathway is “Youtube-like strikes” which is misery as well but they could just shift to investigating accounts receiving a high volume of reports as potential fraud or abuse actors since it is a drag on their services and these accounts are not paying or are paying with stolen credit cards.

          Ultimately, I don’t disagree with you that much but there’s a lot of room for CF to improve their management of fraud & abuse without becoming a trash platform or invalidating legal protections. Happy to get into the weeds on this a bit more since it’s a lil’ bit close to home. 😅

  • garrett@infosec.pub
    link
    fedilink
    English
    arrow-up
    6
    ·
    5 months ago

    People who don’t work in fraud or abuse don’t understand how miserable Cloudflare is to work with. They have a single email box I can send to for identifying if I host a website that takes them days to respond to, no automation by the year of our lord 2024.

  • lud@lemm.ee
    link
    fedilink
    arrow-up
    4
    ·
    edit-2
    5 months ago

    Good!

    I really really don’t want cloudflare to gatekeep what is or isn’t allowed on the internet. That is the job of the hoster and/or NIC and at very worse the ISP of the hoster.

  • 0x815@feddit.orgOP
    link
    fedilink
    English
    arrow-up
    4
    ·
    5 months ago

    The firm that protects both banks and the Eurovision Song contest (2016) - (Archived link)

    Cloudflare’s roots go back to 2004 when [Cloudflare co-founder Matthew] Prince and Cloudflare co-founder Lee Holloway were working on a computer industry project they called Honey Pot […]

    Five years later […] the project was far from his [Mr Prince’s] mind, when he got an unexpected phone call from the US Department of Homeland Security asking him about the information he had gathered on attacks.

    Mr Prince recalls: "They said ‘do you have any idea how valuable the data you have is? Is there any way you would sell us that data?’.

    "I added up the cost of running it, multiplied it by ten, and said ‘how about $20,000 (£15,000)?’.

    “It felt like a lot of money. That cheque showed up so fast.”

    Mr Prince, who has a degree in computer science, adds: “I was telling the story to Michelle Zatlyn, one of my classmates, and she said, ‘if they’ll pay for it, other people will pay for it’.”