Ask HN: Cloudflare incorrectly banned me – can anyone help?
The TLDR; 10 days ago I was banned from Cloudflare allegedly for "phishing". I have never phished, nor used Cloudflare to proxy illegal content.
I am a long time HN user but I created a throwaway account to avoid being linked to my employer.
10 days ago I got an email saying my account was suspended for "phishing". I contacted Cloudflare support immediately and within 60 seconds I got a reply saying my account was permanently banned with no further information. I think this was an automated response. I followed up explaining my account had never been used for "phishing" and it hosted a number of small businesses and would they reinstate it. I never got a reply.
My downfall must been related to Cloudflare Workers. I used it to create some apps including proxies that modified mainstream news websites. They acted as uBlock + Stylish for locked down computers where I could not install browser extensions. I did not share these with anyone, but I did not secure them with HTTP auth. I didn't think anyone could guess the xyz.abc.workers.dev URLs to access the proxies but automated software must have detected them and flagged them as phishing sites.
I was too clever for my own good, but I was not malicious, I did not abuse the Cloudflare platform and I never phished. I just created an application for my own personal use. I do not think any Clouldflare engineer looking at my Worker code would think it was malicious in any way. My account had current billing details and I was a paying customer in the past.
Lessons learnt: Don't be clever and security is ALWAYS important.
I would like to continue using Cloudflare. I worry I will be banned from their other services. If I was blocked at an IP level, it would be far more devastating than being permanently blocked by Google.
If anyone can help me, even just to clear my name, I would very grateful to you.
31 comments
[ 2.9 ms ] story [ 77.7 ms ] threadhttps://ip2.surprise.workers.dev/
The proxy's are also at *.surprise.workers.dev.
I did not delete any code or make any changes to avoid looking guilty when CF support took a look at it.
I do plan on deleting the proxies. I am done being clever. I do have some useful workers that I would like to keep.
Hackernews isn't a necessary route, and quite frankly no changes need to be made to existing policies. The individual could directly reach out team via a reply to the email they received. It seems in this case the person just didn't like the reply they received. That's quite different.
Sounds like if nothing is wrong with the policy, then the company is applying the policy inconsistently.
Too often these email replies are automated and nobody looks at them. Even more so they briefly look and just say sorry still banned.
Only when it's raised publicly does somebody ACTUALLY look.
Even with an enterprise support contract the idea of calling is completely discouraged to the point it's hidden behind menus of finding a customized code to call support. Their e-mail support is a pain also because there are different techs responding with different ideas to solve a question. They don't have chat support which is annoying as well in this day and age. If you want things done, their account management team gets it done fast when on boarding.
Although the product is really good and has some limitations which are annoying but if you can deal without support this is a great product. Also their post postmortems are amazing.
Strange, Cloudflare has an official worker template to do just that (sans modifications): https://developers.cloudflare.com/workers/templates/pages/bu... Sounds like officially endorsed use case to me.
In fact I was thinking about doing the same the other day, but haven't gotten around to it...
For some reason, everyone always thinks this will never happen to them, they want to move to cloud because "they will do everything for them" while they totally ignore it's a one big vendor lock-in and pretty pricy at that.
What kind of lesson is that, we wouldn't have the internet as we know if people just followed the rules. If anything this signals that cloudflare is yet another huge company that can just shit on you with little recourse.