Ask HN: Has Cloudflare blocked your domain without explaining what's going on?
I had transferred the domain from Namescheap to cloudflare because I had heard good things about them on here. Everything was working well (Mainly use this domain for my personal emails) and now nothing is working no warnings, nothing.
I contact cloudflare support and they transfer me over to their "Trust & Safety" team.
This is the response I get.
------
` Hello,
Your account violated our terms of service specifically fraud. The suspension is permanent and we will not be making changes on our end.
Regards, Cloudflare Trust & Safety `
-----
What the heck is that supposed to even mean? Has anyone else had any way to deal with this sort of issue? Anyone from cf lurking here who can help me please? This is my personal domain and a lot of my other accounts are attached to this. Like what am I even supposed to do here ?
198 comments
[ 3.0 ms ] story [ 235 ms ] threadIf it really is from Cloudflare then they are trash beneath contempt and you should extricate your interests as fast as humanly possible.
So I opened a support ticket and someone from their support team closed the ticket and said their safety team will respond to me.
Few mins later I got an email from them with the content in the original post.
If it seriously is Cloudflare then the wording of that email you posted is grotesquely unprofessional.
Not meaning to diminish your (quite reasonable) frustration, but is Cloudflare preventing you from transferring your domain somewhere else?
I know @eastdakota mentioned he has a script that gets triggered when someone mentions cloudflare on HN, hopefully this will help resolve this issue.
I wonder how many customers domains Cloudflare stole/deleted who’s owner didn’t have the luxury of knowing the Hacker News publicity trick?
I'm sure I could make decent money off punitive damages based off the email they sent, and these headlines would be pretty catchy -
"Tech giant siezed and deleted a customers domain name."
"Using Cloudflare can destroy your business overnight. This is how"
"Own a domain name? Your registrar can delete it without any recourse."
"Cloudflare siezed and deleted a customers' domain"
I'd need to check if I can use the word "illegally" in the title.
I hope they compensate OP. I'm sure they could still sue them if inclined..ICANN should have some rules about this.
I hate how legal has forced every trust & safety team to just blanket reply "You were banned. We won't tell you why. We won't overturn. Go away." It's absolutely impossible to contest without public attention or legal action, and is often just a simple mistake.
More often than not it's not a mistake.
Very simply put, fighting abuse is very asymmetrical and a lot of the approaches just even the playfield. They will make you put in more effort for them to put in effort.
Unfortunate, but the only way it's sustainable.
So? A false positive rate of 50% is wholey unacceptable when banning people from critical online infrastructure.
> Unfortunate, but the only way it's sustainable.
This common talking point is just BS apologetics.
There is a long history of ways to manage disputes without sending such useless explanations. These companies are just to cheap or lazy to bother.
Where'd you get that number?
> There is a long history of ways to manage disputes without sending such useless explanations.
Sure, the legal system.
Your use of the phrase "more often than not" applies up to 50% and is thus meaningless given that such a false positive rate is unacceptable.
> Sure, the legal system.
It's pretty hard to file a legal claim without facts to contest...which is precisely the point.
Businesses throughout history have been sustainable without needing to ban people at random with AI. This AI hell is a new phenomenon in the past 10 years and it's purely driven by cost-cutting.
When the cost of abuse lowers, so must the cost of defense. So of course cost-cutting has to happen. Otherwise it's going to be a financial DoS.
All that is though only if you want services to have free tiers. If you're willing to pay for everything then sure, it becomes easier. I'm actually quite certain one will encounter much less "AI" when stuff is actually being paid for.
I guess besides free users, the other exception is payment processors. I don't envy Stripe or PayPal.
> Your account violated our terms of service specifically fraud
For domain name registration, I tend to trust smaller players. They tend to not run bullshit AI to suspend customers, and are small enough to be able to spend at least a minute reviewing any flagged user accounts.
(note) hosting is providing services on the Internet without which a site / domain won't work, so please don't try to pretend you don't host because you've decided to redefine "hosting".
understand the tech, there is no redefinition going on
That is incredibly concerning for your existing customers. Is there anything that legitimate users can do to premptively verify their accounts so that they atleast can't get taken down without human review?
Why can’t anyone come up with a solution that keeps this kind of thing from happening? How much does it cost to phone someone before potentially ruining their life and why can’t we simply pay money for that option?
Pick a lane.
As long as kiwifarms and others are hosted behind cloudflare, this statement is true.
Honestly, this phrase is raising phishing alarm bells in my head, though xxdesmus said it's `likely legitimate`. The punctuation and capitalization is lacking, and really makes it sound... off.
Edit: I originally thought this was an email, but upon reading the post again it sounds like a response to OP's support ticket. There's a lot less effort involved in responding to a support ticket or chat message than the effort involved in writing up email templates, so my point doesn't quite apply here.
I understand that not all developers are native English speakers, but far more scammers are non-natives than devs are; not to mention, there are likely checks in companies like this to proofread any text before it goes "live".
Not on the internet I use. Even the old school newspapers are failing basic grammar things that anyone calling themself an editor would catch. Mainly, because they are not getting edited at all. Reports get entered into a CMS, a publish button is pressed, viola, first to publish! Yay!!! Only, in the rush, basic grade school grammar is non-existent and makes my brain slow down, and decipher what was meant, and makes me no longer want to keep reading.
I've seen articles by the AP (!!) that clearly have not gotten enough scrutiny (typos, etc).
> Reports get entered into a CMS, a publish button is pressed, viola, first to publish!
Publishing articles is no time for stringed instruments [1]. Unless maybe you meant it as some kind of fanfare upon publication? :P
[1] https://en.wikipedia.org/wiki/Muphry%27s_law
Oh, the irony...
… yeah … there's really not.
I've both found such errors (there are a few that exist in Azure's stuff, for example. One I know exactly how to trigger: attempt to create a SP for an app in the same tenant as you, but while lacking permission to do so. The error is both grammatically malformed as well as illogical. Azure knows about it … but AFAICT, they don't have the internal processes to fix it.)
I've also caught a few of these before the train left the station as a gratuitous code reviewer. There are definitely some that have slipped by.
At a previous employ, my SO found one in ~10 minutes of playing with our product… and rightly gave me some light-hearted jabs about it.
I'd want to see the whole email. Whether it weighs more towards phish or error would depend on the surrounding context, and whether SPF/DKIM/DMARC pass. (The OP says the did (but it was a later comment), so…)
No, you did not hear good things about the biggest man-in-the-middle of the internet on here, and you're about to learn the tough lesson others have: don't trust Cloudflare with sensitive accounts or data.
This is an example of why it's a good idea to keep your domain registrar separate from as much else as possible. The more services you use from a company, the more surface area there is for your account to get inadvertently flagged, and the bigger impact a suspension will have.
--
I've experienced a near opposite situation: there was a news story about cloudflare providing ddos protection for a number of websites including the site for "The Proud Boys" (if you haven't heard of them, they're an all male far right american political group fairly well known for their physical fights with various other groups). My client, who was often vocal about politics on their public CEO twitter account, made a statement that if Cloudflare did not end their contract with the proud boys and a couple other unsavory groups then he would find an alternative and move all his current and future projects away from them. So it quickly fell to me to move all his legacy properties off Cloudflare and close out their old account... and while they may have lost him as a future customer, after the pain of trying to find similar levels of service for a similar price I am now recommending Cloudflare to most of my clients over their competitors for ease of use and pricing.
--------------
Hello,
With regard to your inquiry, we have restored the domain names in your account to active status. Please allow for normal propagation. You will need to re-add mnf90.com to your account in order to manage it. Our apologies for any inconvenience this may have caused.
Kind Regards, Cloudflare Trust & Safety
------------
Not much info lol, but guess its fixed now?
Thanks HN for up-voting my post and helping me get the attention of CF. Time to go figure-out how not to get in to this situation again, and a way to mitigate this incase the AI gets angry again. Funniest thing about this is, I wanted my own email because I was afraid of this scenario, getting locked out of everything, what happens if big G or M decide to close my account down?
Again, thanks HN. Really appreciate you folks for helping me get the attention.
-----------------------------
Helo,
To clarify the issue, this account was identified in a recent fraud review, however it appears to have been a false positive. We have left a note in this account for future reference.
Kind Regards, Cloudflare Trust & Safety
I started using a personal domain just for email to avoid Google AI kind of screwups, I didn’t know a domain name can have this kind of screwups. I am using a traditional domain hosting company now, definitely not going to use this kind of new tech company to handle the most critical thing.
Waiting for my utility company to turn off my heat: "Your house is fraud. We won't tell you how we know. Fuck off and freeze."
going with cloudflare is a choice towards centralization.
> non-(huge company like Cloudflare)
not
> (non-huge company) like Cloudflare
More like "We can't tell you because it's AI and the (AI) won't tell us why it made that decision".
That's a scary answer. Guess I'll put only mirror/backup domains behind CF in the future.
I too am really interested in figuring out why I(free) and my clients(paid subscriptions) will trust cloudflare. Mistakes happen, but I can't even imagine my situation if HN didn't come to my aid.
This sort of stuff is why explainable AI is IMO important. Assuming the CSR could see _why_ the original domain was flagged by the model as fraud, they could respond in a meaningful way, other than just requiring the OP to go and find someone with more authority than the machine to override the decision.
Unfortunately in these types of situations, getting a satisfying explanation of why something happened is incredibly rare - my understanding is that it's usually at best an educated guess.
That sounds like theft to me
> Registered Name Holders must be able to transfer their domain name registrations between Registrars
(Note that sections 3.7-3.9 do allow registrars to deny transfers, f.e. given "evidence of fraud", but given that they reinstated the domains I doubt they have evidence of fraud.)
https://www.icann.org/resources/pages/transfer-policy-2016-0...
The behaviour was wrong and concerning yes, but it seems internally consistent, all along the 'fraud' path.
Ah, cant wait until you understand the nature of money itself ;)
Edit:- Then the problem comes from registry. So, along with being a registrar, that individual will need to become a registry recognized by ICANN
There’s a case for not having your registrar also host your DNS records.
Yeah I love the future we all live in... :|
If any of this data is false you have the right to rectification. https://gdpr.eu/article-16-right-to-rectification/
Since the domain and account belongs to you as a person, this is all personal information under GDPR.
If they don't unfraud you AND don't produce the data they are not in compliance of either article 15 or article 16 and have delivered the proof noncompliance themselves.
That is only true in specific cases of processing, as detailed by article 22: "a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her".
In the case of a domain name used for email I think you could legitimately argue that the decision "significantly affected" you, but it's kind of undefined so far what the bar is for this criterion.
"this account was identified in a recent fraud review, however it appears to have been a false positive"
> which produces legal effects
Deprivation of property.
For me deleting my domain would be far worse than deleting my telephone number and significantly affect me. But yes, this is a case by case decision.
I just wanted to say something like: You have rights. Don't be afraid to use them. These companies are not above the law.
Even if not intended, a reviewer that sees mostly true positives is very likely to become a blind rubber stamp.
"J/K LOL"
This faceless corporation simply took away your property without explanation or warning, and didn’t even feel any obligation to explain why.
For many people the consequences might have been losing their own or even their family’s source of income.
Their behavior was despicable and callous.
When did these tech companies start thinking they were all-powerful and above the law like this?
What is the alternative though?
The web has turned in to this massive mess where most of us don't have the ability to do anything without having to rely on some ban happy mega corp.
Even something that was built to be decentralized like email has turned in to a (sort of) centralized architecture, try hosting your own email, everything goes in to spam.
Host a website and piss off some kid with $5 to spare, you get ddosed.
The web is owned by the big corps, as long as everyone of us come together and fix this it will be a very long time (if ever) before we have a truly decentralized internet.
So yeh, the only option I have is to take this lightheartedly and move on.
On the topic of hosting email specifically, I thought it was pretty universally accepted as a tricky prospect. It’s possible to get right, yes, but tricky nonetheless.
For the websites you own, you registered your domain with someone right? What happens when that company decides to have some AI decide if you are doing something illegal?
Until today I "never had" any of these issues as well, the main issue here is we have to rely on large companies (or small companies for that matter tbh) to do "the right thing", and we don't have many options to solve it. I got super lucky some folks browsing HN decided to get my post some attention.
That is a lot better than deleting your domain and refusing to talk to you. If you need more bandwidth your VPS host will be more than happy to take your money. And short downtimes are not really much of a problem for personal websites and email. Losing your domain name is a much bigger concern.
> For the websites you own, you registered your domain with someone right? What happens when that company decides to have some AI decide if you are doing something illegal?
Has that EVER happened with any registrar that is not also handling other things like hosting or CDN for you? With just the domain all they could base their "AI" on would be the domain itself unless they go actively prodding third-party servers.
> The web has turned in to this massive mess where most of us don't have the ability to do anything without having to rely on some ban happy mega corp.
That's absolutely not true. You're drinking the HN/startup koolaid if you think everything should be on CloudFlare/AWS/Google/Microsoft/etc and there's no other way. Obviously VCs would love for you to think that but it doesn't make it true.
Domain registrars are plentiful. Dedicated server providers are plentiful. Hell, "shared hosting" is still a thing and may be perfectly appropriate if all you need is a static site.
Pick a mid-sized company whose objective is to deliver great service rather than one whose objective is either "growth and engagement" or to monopolize the internet. Ideally pick one within your jurisdiction so that you have more recourse if things go wrong.
1: https://news.ycombinator.com/item?id=31551846
Someone else in this thread explained this as "they're flat up holding it hostage until it's publicly available for anyone to register."
I will not do business with companies whose word is final, with no explanation and no recourse whatsoever, unless you shout loud enough that someone higher up the org tree decides to figure out what has happened. Especially when the decision actually comes from a fallible, subpar automated system. Fuck that dystopia. Shameful behaviour, Cloudflare.
Bye, cloudflare.
[1] https://news.ycombinator.com/item?id=31567673
A client-of-a-client had their site reported to CF for malware distribution via Netcraft. I reviewed the site and found nothing unsual-looking. I dug out a month's worth of access logs for the site, carefully filtered them, and then eyeballed all of the tens of thousands of remaining lines, and again, nothing unusual. No sign whatsoever that the site had ever distributed any malware.
There were signs that the site had been probed a number of times by one or a few bad actors, a bit more than just the usual background scanning. Best guess was that, having failed to take the site down through direct means, somebody filed some fraudulent reports against it.
DigitalOcean also received a report on the site, and that's where the difference in handling the issue really became apparent. I sent essentially the same response to both DO and CF. DO sent back a quick, "thanks for taking a look at it, we're not going to take any action at this time, have a nice day" response.
Cloudflare on the other hand pre-emptively took the site down and then took a while to reply at all. When they did, the reply was extremely opaque: "this report has been processed". Like, okay... and?
I had by that time already routed the site off of Cloudflare and had it back online, so the impact was minimal, but now that I know what it's like to deal with this category of issue at Cloudflare, I have to ensure that it's always easy to take anything off of Cloudflare. I love Cloudflare generally, so this is really disappointing.
This line pretty much echos my attitude to cf going forward. Come to think of it, not just CF guess its going to apply to every company I deal with going forward. Although it sounds good in theory, wonder how hard it is going to be to apply this on every situation I rely on a 3rd party company.
You can burn a lot of productivity trying to make everything completely fail-safe. Building stuff out of today's technology requires deciding which companies you're willing to gamble on and accepting that eventually the odds will catch you.
Does this only affect free accounts? Do you at least get an account manager for escalation if you pay?
Honestly, this whole thing of scaling service abuse handling through AI is a dumpster fire.
All I got back was a canned response that cloudflare is not actually hosting anything and cannot do anything and will forward my complaint to the ISP that really hosts the website.
Replying back to that email, asking whether they couldn't at least close the cloudflare account in question, I was greeted with exactly the same canned response again.
Responses form law enforcement I tried were also rather underwhelming, but that isn't cloudflare's fault.
This was a while ago, and it all was rather discouraging. And I can only hope they got their act together now...
But I guess not. I just checked, and the site is online again, under the same domain, and using cloudflare again. I'll report them again now, I think.
[1] Including a lot of the child porn this UK blackmailer had traded and sold: https://www.bbc.com/news/uk-england-birmingham-59614734 The site I reported was re-selling the stuff for crypto or gift cards, with a lot of free samples.
Now you may wonder why in hell I would even know about any of this. I used to be a small time moderator on a small time website where some of our users shared some of the content/links to the content.
This part of hosting actually worked better back when we were all using GoDaddy and Bluehost and the like.
Cloudflare apparently signed up as a member in August of 2021: https://www.iwf.org.uk/membership/our-members/cloudflare/
Cloudflare in the meantime gave me another canned response, saying they aren't hosting anything, etc, but at least this time they also included this:
> This email is to confirm that your abuse report to Cloudflare has been received and will be processed shortly.
See https://community.cloudflare.com/t/domain-not-working-after-... where someone who appears to the be OP mentioned that CloudFlare auto-refunded some charges.
CloudFlare should still post a public postmortem as to how this user got wrongly flagged (excluding any personal info). The OP has already consented to this: https://news.ycombinator.com/item?id=31574656
Lets hope cf would tell us what exactly happened and why they were so aggressive and why there was no warning to let their customers prepare before they decided to do this.
The OP didn't say even one sentence about something like "I didn't do anything fraud related" or "I have no clue why it could possibly be flagged". But from my understanding of the world, if that's what OP thought, he probably would have said it.
I also find that nothing is being served from the domain mnf90.com after it's reinstated, not sure if this has been the case in the last few months.
>I also find that nothing is being served from the domain mnf90.com after it's reinstated, not sure if this has been the case in the last few months.
https://web.archive.org/web/*/mnf90.com
lol there was nothing else running here. Now that you mention it, maybe I should start blogging here.
While we're all here venting about Cloudflare, is anyone else frustrated about how they lure you in to their CDN product with "free" bandwidth, but then lock behind so many useful features arbitrarily behind what I can only imagine is a thousands of dollars per month enterprise plan? Just look at their cache-purging page for an example of this, everything other than basic purge by URL is enterprise only: https://developers.cloudflare.com/cache/how-to/purge-cache/
These days Cloudflare is literally my last choice for a CDN for my new projects, and I try to warn against others considering using it. My new go-to is bunny.net, who charges a reasonable usage-based fee for bandwidth and gives you unfettered access to all the features they've built. Though I'd even reach for Cloudfront with their expensive bandwidth costs these days, because at least their pricing is transparent and scales smoothly with usage, and they don't arbitrarily cut you off from useful features.
Even their bandwidth might not really be "free", since I've heard if you actually use any significant amount, the sales people will come knocking on your door to coerce you to get on the same enterprise plan or have your site taken down.
Anyone have other recommendations for where I should keep my domains?
That would annoy me - I should not have to bother with phone calls for something as sensible as making sure a domain I care about stays under my control for as long as possible. That is unless that was a vanity gTLD with particularly high renewal fees.
I had moved my domains from Google to CF sometime ago, assuming my emails etc. are protected, and now this.
Honest question: What is a good registrar? I used to use Namecheap in the past and have nothing against them.
Unfortunately, unlike other things I cannot self-host a registrar.
Thoughts? Suggestions?
Edit: TBH, I find this wording rather rude "The suspension is permanent and we will not be making changes on our end." especially for a paid product.
Find a small registrar which still is technically competent to know what they’re doing. Bigger is most assuredly not better when what you want is to actually talk to somebody when things have gone pear-shaped. If possible, find somebody as local as possible.
Disclosure: I work at a small registrar, but you’re not in our target market.
Use .fi domains and you absolutely can. You really don't even need to code, run or host anything either unless you wanted to. Probably goes for some other lesser known ccTLDs too I'd assume.
Register as a private individual and leave the field where they ask if you want your contact info listed for consumers unchecked. Then, once they process the application and you're a registrar, never register domains for anyone but yourself.
The bit about not needing to host or code anything was a reference to the fact that Traficom maintains a registrar web interface[4]. If you're a low volume registrar, which you should be since you're a registrar for yourself, the web interface is all you need.
Now, couple of things I'm uncertain about: whether or not the registration process involves fees for non-citizens, and which payment methods they support besides SEPA transfers.
[0]: https://www.traficom.fi/en/communications/fi-domains
[1]: https://www.traficom.fi/en/communications/fi-domains/domain-...
[2]: https://www.traficom.fi/sites/default/files/media/file/regis...
[3]: https://www.traficom.fi/en/services/registration-registrar
[4]: https://registry.domain.fi/s/
Yes it's tricky, and it doesn't scale well, but that's the price you pay when working with people.
Glad that there was a good outcome, but very sad to see it took getting on Page #1 of HN to be resolved.