Archived link

Research into websites that are openly advertising services to a cybercriminal audience, such as bulletproof hosting, reveals that many of these domains are supported by Cloudflare’s services, the NGO Spamhaus says.

For years, Spamhaus has observed abusive activity facilitated by Cloudflare’s various services. Cybercriminals have been exploiting these legitimate services to mask activities and enhance their malicious operations, a tactic referred to as living off trusted services (LOTS).

With 1201 unresolved Spamhaus Blocklist (SBL) listings, it is clear that the state of affairs at Cloudflare’s Connectivity Cloud looks less than optimal from an abuse-handling perspective, Spamhaus writes on its website. 10.05% of all domains listed on Spamhaus’s Domain Blocklist (DBL), which indicates signs of spam or malicious activity, are on Cloudflare nameservers . Spamhaus routinely observes miscreants moving their domains, which are already listed in the DBL, to Cloudflare to disguise the backend of their operation, be it spamvertized domains, phishing, or worse.

  • Skull giver@popplesburger.hilciferous.nl
    link
    fedilink
    English
    arrow-up
    9
    ·
    3 months ago

    Cloudflare apparently has 14% to 16% of the DNS market but only serves 10% of domain names for spammers, according to this blog post. That means a site being hosted on Cloudflare is actually a reason to trust an email more, not less, by pure statistics.

    Unlike other hosts, Cloudflare offers a DNS server that’s easy to script against, cheap, and actually works well. A combination of three factors I haven’t seen another DNS host do. Of course spammers are going to flock to services like these. Kick over Cloudflare and the next most bot-friendly DNS provider will take the spammers instead.

    I get why that one security vendor published a blog post about Cloudflare recently (after all, they make money selling scary news articles) but I don’t really get why Spamhaus is publishing this. They link to their own “how to prevent abuse” page which comes down to “take basic personal information (because criminals would never lie), don’t take crypto (anonymity == criminal), use our various services”.

    As for the “bulletproof hosters” part: Cloudflare tries not to make ethical decisions about their customers. Given the position they’re in as middle man to at least 20% of the entire internet (80% of CDNs), I don’t think I want them to make any decisions about who can and who can’t use their services. In fact, if they start picking and choosing their customers and what they host, that increases their liability when illegal stuff does happen on their platform. The internet is free because hosters don’t need to manually approve the stuff they’re hosting as long as they follow up on legal issues; if they start picking and choosing, they’re on the hook for stuff they misjudged or missed.

    SpamHaus can flag Cloudflare domains as a spam/phishing risk if they want to (but I doubt they will, as that would affect their own emails as well, seeing as they are hosted behind Cloudflare). I don’t see why they would need to make a public blog post about their problems.

    • garrett@infosec.pub
      link
      fedilink
      English
      arrow-up
      0
      ·
      3 months ago

      It’s a bit more about how miserable it is to work with Cloudflare and their unwillingness to remove abuse in general, opting to say they’re “not the host” and that they cannot tell you where it is but they cannot do anything. It’s hardly an ethical decision to say that phishing and bulletproof hosting aren’t the bedfellows you want.

      • Skull giver@popplesburger.hilciferous.nl
        link
        fedilink
        arrow-up
        1
        ·
        3 months ago

        Depends on the quality of the phishers I guess, but the phishing pages I’ve been emailed only work for the IP that first visited them, after that they turn to 404s or legitimate looking websites. Really annoying, because I wanted to report some domain as phishing to a domain registrar and the moment they checked my submission they told me not to file fake reports.

        I suppose they could try to record all traffic and sift through it to record phishing pages, but somehow I don’t think they’re willing to collect the petabytes per day necessary to check back later. That’s the whole point of Cloudflare, they don’t store the code running websites, they just proxy connections towards these hosts.

        As for telling who they are: I haven’t heard of Cloudflare ignoring any warrants. These hosters aren’t unfindable because they’re behind Cloudflare, the authorities just need to get their shit together to do something about them.

        I don’t think the bad actors are a large part of Cloudflare’s customer base. I get why nonprofits, threat analysists, and other non-government organisations get frustrated when their work is so much easier with the shared hosts and server resellers, but they’re not the police.

        I want Cloudflare’s abuse report to be better, but I don’t think the problems these blog posts have with Cloudflare will disappear if they do. Domains are quick and cheap to re-register, and abuse removal on a Cloudflare scale will probably bring the entire modern internet into a YouTube-copyright-strike system where a few automated reports can take down most websites.

        • garrett@infosec.pub
          link
          fedilink
          English
          arrow-up
          1
          ·
          edit-2
          3 months ago

          There’s a balance to be struck here but Cloudflare is truly the most miserable entity I have to work with from an abuse perspective. They’re not necessarily “ignoring” warrants but most phishing doesn’t get reported with a legal takedown request. In those cases, Cloudflare will be almost intentionally obtuse. I’m happy to outline the misery of a host working with Cloudflare but it’s not necessarily important to this. TLDR; Cloudflare takes steps that don’t make sense for its “we’re not responsible” stance while also having zero automation in the year of our lord 2024.

          I suppose everything could be a legal request but that just makes the whole process so infinitely worse for NGOs like Spamhaus and only serves to make lawyers excited that their consultation fees are going up. I see that the laziest pathway is “Youtube-like strikes” which is misery as well but they could just shift to investigating accounts receiving a high volume of reports as potential fraud or abuse actors since it is a drag on their services and these accounts are not paying or are paying with stolen credit cards.

          Ultimately, I don’t disagree with you that much but there’s a lot of room for CF to improve their management of fraud & abuse without becoming a trash platform or invalidating legal protections. Happy to get into the weeds on this a bit more since it’s a lil’ bit close to home. 😅