Cloudflare and Spamhaus

C

Spamhaus has been the subject of a lot of discussion the last few weeks. I touched on this a little in June when I blogged that a number of large brands were getting SBL listings.
But big brands are not the only companies with publicly discussed SBL listings.
Cloudflare, the content delivery network that grew out of project honeypot, has a number of SBL listings, covering at least 2 /18s and a /20. Representatives and customers of Cloudflare have been discussing the listings on twitter.
As a content provider, Cloudflare isn’t actually sending mail nor are they actually hosting the content. What they are doing is providing consistent name service and traffic routing to malicious websites. In fact, they’ve been providing services to a malware botnet controller (SBL138291) since May, 2012. They’re also providing services to a number of SEO spammers. Both of these actions are justification for a SBL listing, and Spamhaus has a history of listing providers protecting spammers.
Cloudflare claims they take action on all “properly filed complaints” and they may actually do that. But their reports require quite a bit of information and require consent for releasing information to 3rd parties. Looking at the website, it appears to me to be a site designed to discourage abuse reports and stop people from reporting problems to Cloudflare.
When you look at the Cloudflare business model it’s clearly one that will be abused. Cloudflare acts as a reverse proxy / pass through network that caches data from their customers. This protects the abusers webhosting setup and prevents people tracking the abuser from being able to determine the true host of a website. As a responsible internet citizen, Cloudflare should be disconnecting the customers hiding behind Cloudflare’s services.
Unfortunately, Cloudflare seems unwilling to actually police their customers. They’ve taken a totally hands off approach.
Let’s be frank. Cloudflare has been providing service to Botnet C&C servers for at least two months. It doesn’t matter that the abuser has the malware on a machine elsewhere, Cloudflare’s IP is the one that serves the data. I don’t care what you think about spam, providing service to malware providers is totally unacceptable. It’s even more unacceptable when you claim to be a security company. Nothing about malware is legitimate and the fact that Cloudflare is continuing to host a malware network command and control node is concerning at the very least.
Cloudflare (.pdf) is listed on Spamhaus for providing spam support services. The most obvious of these is providing service to a malware controller. And Spamhaus escalated the listings because they are allowing other abusers to hide behind their reverse proxy.

About the author

25 comments

This site uses Akismet to reduce spam. Learn how your comment data is processed.

  • On the face of it, it seems pretty damning indeed, but we have to be careful – they may have been asked by the FBI not to disconnect the C&C server, just as was the case for DNSchanger, in which case they would not be permitted to talk about it.
    I was ops manager for a Dutch ISP in 1999-2000 and I was told the Dutch authorities had asked us not to shut down child porn Usenet forums because they wanted to monitor them (and presumably trace and prosecute participants) rather than drive them deeper underground in a darknet.

  • Yeah, but, Fazal, Cloudflare is not SBL’d with a single listing for supporting a C&C server. There were a bunch of different listings for different kinds of spam and bad stuff. And after the listing, the Cloudflare CEO guy decided to run his mouth about it publicly instead of dealing with it. I’ve heard (admittedly only second hand so far) that they disclaim responsibility for sites reported to them because they don’t host the sites in question. True, but if the connectivity runs through you, and you don’t null route or terminate the bad stuff, then the buck stops with you. And that is where Cloudflare is today, from what I can tell.

  • Yah, this “I don’t shoot people, I only have a contract to supply the shooters w/ bullets” defense is most unimpressive.

  • This is most unfortunate for CloudFlare. They obviously don’t understand the significance of an SBL listing, and the care Spamhaus takes when they consider posting an IP or provider on the list.

  • Disclosure: I work at CloudFlare, and I am extremely active on their abuse team. There is very much a side to this story no one is being told.
    This is paraphrased from our CEO from this blog post on this topic (it’s actually about our general abuse policy/stance) –> http://blog.cloudflare.com/thoughts-on-abuse
    Spamhaus has an issue with this CloudFlare customer:
    http://polyeeplast.com
    The site isn’t a phishing site and it is not hosting malware. From what the Spamhaus investigator told us, the site is appearing in spam email that was sent through Facebook’s network and was received by some Spamhaus spam traps. We were not able to independently verify this with Facebook, but we are inclined to believe those facts are true. While it would be the most effective way of dealing with the issue, Ironically, Spamhaus is reluctant to block Facebook’s out-bound IP addresses because of a concern about false positives. They have listed the site on the Spamhaus Domain Blacklist (DBL) which we believe is entirely appropriate. So this is essentially Spamhaus going after CloudFlare because they can’t go after Facebook, makes sense right?
    Pursuant to our policy described on our site, we passed the complaint on to the site’s hosting provider and to the customer in question. Based on Spamhaus’s concerns, we are also creating an isolated section of our network for customers that have potential spam issues that are reported by trusted parties. There is additional engineering required to do this, but we have prioritized it and believe it will be online by the end of next week. I’ve been told by people in the industry that this aligns with the policies of organizations like AOL and Gmail. We would be comfortable with Spamhaus listing this limited block of IP space, and we will happily work with them to move customers that appear on the SBL to the “bad boy” block.
    We are taking additional steps to ensure that our customers are not impacted. Our monitoring of the impact of the SBL shows that it has been de minimis but, ultimately, we are fighting the same fight as Spamhaus and so we are hopeful we will able to get this issue resolved. Going forward, our hope is this incident will allow us to better work with Spamhaus and other organizations to get these reports as well as reports on malware/phishing. We should be brothers in arms.
    Our CEO started one of the largest email honey pot networks in the world (Project Honey Pot) and that work there was part of what inspired CloudFlare. Spamhaus does important work and is responsible for helping block a huge percentage of the spam sent daily.
    If this customer is sending out spam messages, then shame on them and the servers they’re using to send messages should be blocked, even if that means blocking Facebook. We are concerned, however, any organization, be it CloudFlare, Spamhaus, sit in a position where they would censor a site that on its face is not causing harm. As a practical matter, we are also concerned that honoring a request to knock this site offline will only open a new abuse vector for people trying to bypass CloudFlare. Add a domain protected by CloudFlare to spam messages and, as soon as there’s a SBL listing, our protections will effectively be bypassed.
    Finally, to be clear, polyeeplast.com is a free customer. They do not pay us now and, so far as we can tell, they never have. The chatter on Spamhaus’s lists that this is a business decision misses the point. While we philosophically support the mission of Spamhaus, we believe the same philosophical perspective means that we cannot terminate this customer based on the evidence they have presented us.

  • It’s a broader issue than one customer. Much broader. And I don’t just mean that it’s multiple customers.
    However, even if it were just one customer, and they were doing something bad enough to be worthy of an SBL listing, and you continued to host that customer then, yes, you’d be actively supporting abusive behavior. That’s OK as a business model, but one of the costs of choosing to be that sort of business is shunning by the rest of the Internet – and the driving away of legitimate customers that tends to cause can lead to a downward spiral in customer quality.
    Taking on that cost of doing business on behalf of a high-value flagship customer might well be a good business decision in some cases. Doing it on behalf of someone you’re giving service to for free, while they’re making money from their network abuse, is not the sign of a healthy or well-managed business.
    The claim that Spamhaus are only going after CloudFlare because they won’t list someone as big as FaceBook is implausible on several counts – not least that active FaceBook addresses have been listed by SpamHaus in the past, and I’m sure will be listed again in the future.
    They’re going after CloudFlare (with, I’m fairly sure, no more enthusiasm than they go after any other spammer or malware hoster) because CloudFlare has multiple customers behaving badly, up to and including felony badly. At the time I write this there are 15 separate /32s listed by SpamHaus, each for IP addresses that are specifically connected to abusive behaviour – and there’s no implication that that’s an exhaustive list.

  • I’m not buying what CloudFlare is saying here, Justin. I have no involvement in this matter, but from reading the coverage of it and looking at the SBL listings, it sure seems to involve more than one client, and it sure doesn’t seem to me that Spamhaus is afraid fo listing Facebook (they certainly have before). I also see what CloudFlare has said to others, disclaiming responsibility for bad actor traffic crossing the CloudFlare network or service…that’s a bad policy. If I still ran a network, I’d be blocking CloudFlare as a result of that policy choice. (And let’s be clear, it absolutely is a choice. It sure looks to me as though a provider/service like CloudFlare could choose to null route bad stuff based on reports received and investigating those reports.)

  • CF’s reticence is causing pain for their legitimate customers as well. We send mail on behalf of one of them, but our own outbound filtering is preventing the mail from being sent through our application because of the listing. I’ve declined to make an exception in our filtering to accommodate the client because of the broader security implications such an exception might have for our own assets.

  • I am a Cloudflare customer. I am using Aweber to email out for my business.
    A few days ago one of my messages had a 10 spam rating from Aweber built in Spamassassin. My website was now on a spamhause block list.
    Aside from philosophical discussions I am searching for a technical solution. Personally I don’t want to leave Cloudflare and change my DNS back to my old provider as Cloudflare provide a lot of positive attributes to my websites but no mail outs means no business….
    What would you suggest that I do?
    Thank you

  • Hey Justin,
    Thank you for resolving the issue with me.
    Whatever is said about Cloudflare – I believe their spam policy is based on the principle of internet freedom. They are a very professional and passionate company. This, i can tell, is reflected in how they treat their customers during this difficult time.
    Keep at it Cloudflare and thank you for the support.
    Rahal

  • I use Aweber and came across the same problem. Spam score from emails went from Zero to Ten with no changes to the email content.
    We contacted Aweber, and they confirmed that CloudFlare is in the Spamhaus SBL.
    How many thousands, or millions of websites are being affected because of a few bad apples?
    Unfortunately, we can’t wait on CloudFlare to get their act together. If anyone has experience with CloudFlare competitors that are not listed in the Spamhaus SBL, it’d be interesting to hear your suggestions.
    CloudFlare could at least alert customers that this issue is occurring. Their support team merely said they’re working on the issue.
    Aweber said that if we drop CloudFlare, our email’s score will return back to normal within 24 to 48 hours.

  • It appears that Cloudflare continues to support botnets, SPAM and other illegal activity. I am constantly tracking down fly by night domain registrations that list them as the DNS servers.
    It appears they have a product line primarily to support this illegal SPAM and botnet business for overseas companies.
    It would be interesting to test the waters of holding them financially and criminally liable for such aiding and abetting.

  • I do not give a hoot about what Spamhaus did regarding Cloudflare or even CloudFlare’s response.
    What I do care about is all the extra work I have to go through to stop a huge amount of spam coming from CloudFlare’s networks. To me Cloudflare is an accomplice to this madness. CloudFlare allows their customers to abuse my network and infrastructure, that we work so hard to maintain. Its an assault on their fellow man, all for the sake of a dollar. There is no CIA telling them to not police them selves so the CIA can get at the real guys!!! CloudFlare get paid and paid well from those that use there services or they just don’t give a rip.

  • I’m getting hundreds of spam emails from CloudFlare every week, from dozens of different domains. All of them have the same “User ID” for me, so clearly this is one spammer – or at least originates with one spammer’s list – and all sent through CloudFlare.
    I report ALL of them through SpamCop, but at least half garner the response “ISP has indicated activity will stop” – then it doesn’t.
    If I could find a list of all of CloudFlare’s IP addresses, I would block them all. They’re nothing but spam accomplices and I hope they’re blacklisted by enough services that they have to change their policy.

  • As an old saying says; “if any doubt, stay away”. and that is exactly what we will do now.
    This and that, he accuses him and they accuse them …, what is this, kindergarden, politics?
    Whatever, make your day!
    While you talk and argue and push blame across tables, we make a decision, “Cloudflare” is certainly NOT FOR US.
    Good luck to all the fishy kids out there, make your money, we stay without you and clean.

  • @Norbet I am neither fishy or a kid but if in doubt I will do some research to better make a decision.
    Its probably a good thing your website fails to load

  • In the last few days I have just been spammed by multiple “businesses” all with the same layout, the same Unsubscibe option, the same style of header – the “From” address containing the company name and my name.
    All the websites show up as being hosted by Cloudfare. Now, the email address that they are using is one that appears to have been sold to these companies by another American company.
    Thankfully, European law makes this kind of thing illegal – you have to Opt In to receive marketing/spam, not opt out after someone has sold your email address.
    For the spammers in the US who consider it perfectly good business practice – if you weren’t hucking snake oil, you wouldn’t need to try to con people. Your product should be good enough not to invade those who don’t want to be forced to receive your spam.

  • A deviant hacker is using a cloudflare reverse proxy to “mirror” my website. The hacker’s website IP is not the same as the IP that is actually hitting my server.
    Cloudflare’s generic response:
    Please be aware CloudFlare is a network provider offering a reverse proxy, pass-through security service. We are not a hosting provider. CloudFlare does not control the content of our customers.
    We are unable to process your report for the following reason(s):
    The domain or subdomain reported does not resolve to a CloudFlare IP address. The domain/subdomain might be using name servers provided by CloudFlare, but that does not indicate where it resolves to. Since the domain or subdomain is not pointing at a CloudFlare IP you will be able to look up where it resolves to and then contact the responsible hosting provider.

  • I have had no experience with Cloudflare until today, IPs dating back to their service have tried logging into my website 2,500 times in the last two days. Each attempt has a different IP, is there any way I can prevent this? Because I am getting pretty annoyed

  • Hi Asher,
    Unfortunately, CloudFlare doesn’t care. I have reported similar things in the past, as well as a bunch of other abuses, and CloudFlare just replies telling me they are a “reverse proxy” everything else isn’t their concern, even though they are directly responsible for it.
    Reading the information available on the internet, CloudFlare seem to be terrible in this regard and in addition to that proud of their “Saving the Internet”-philosphy.
    Wulf

  • About 3 months ago a number of links started appearing in Google search for my name. My full and rather unique name is in the link and/or snippet along with references to sex chatting,webcams and “adult free sex”. They are all Russian domains (.ru) and all are “sneaky re-directs” to commercial sites like “hookup12.com” or “xgetlaidtonight.com”. CloudFlare network is used and of course they deny responsibility. But they did get the webmaster to amend a particularly objectionable snippet. But they make it really difficult to even file a complaint. They asked me to “prove” that this is abuse?! Google originally removed the links but they came back and I can’t get Google to remove them.
    CloudFlare has grown by leaps and bounds over the years and there is no doubt in my mind that shielding scumbag webmasters is one reason for their success. The word is out that if you want to abuse somebody or post anything illegal (except child pornography) you will remain anonymous on CloudFlare network.
    Shame on CloudFlare!

  • I agree with the above. I’ve been getting more and more SPAM every week for the last few months – often over 100/day get past my spam filters (which are as tight as I can make them without more false positives). I report ALL spam through SPAMCOP.
    The vast majority (over 90%) of the SPAM references a site being fronted by Cloudflare. But do they do anything about it? Nope.
    I have come to the conclusion that supporting spammers is a big money-maker for them. The spammers know Cloudflare will get the complaint and not do anything about it. This is a big draw for spammers because they don’t have to keep finding new hosting companies to support their garbage.

  • Up to 40 spam emails per day now, all reported to SPAMCOP as done by Jerry above.
    Most prolific references when posting the properties of each email are:
    servercrate.com
    wowrack.com
    nomarents.com
    above singularly, all followed by:
    cloudflare.com

  • Also — for the record six to seven years later — Cloudflare does absolutely NOTHING to stop spammers in emailing you unwanted content by the 100’s of emails daily. You can report emails to them all you want; they do NOTHING. How do I know? I’ve been reporting emails to them for almost one year now from the same website they host; they’ve not lifted a finger to help me, and I’m up to about 150 emails daily from the same site.

By laura

Recent Posts

Archives

Follow Us