
Why Some Phishing Emails Are Mysteriously Disappearing - thedg
https://blog.cloudflare.com/combatting-phishing-with-dns/
======
saurik
This is even worse than "we don't like you so we are no longer selling you our
service", which is already problematic :/. Deciding "we know what you are
doing with our service, so we are going to keep selling you our service but
make it do something different" should probably just be illegal. As it stands,
if they really want to do this, I hope they realize it makes them de facto
responsible for all email that goes through their service (and if they don't,
then they are even bigger idiots than I normally paint them to be, as they
literally are involved in a similar case in court _right now_ ).

This is equivalent to "I know you are going to use our invitation service to
invite people to a meeting of your local gang, so we have made the emails go
out with a typo in the location and phone number field", which has the same
sort of "wait, are you sure it is a gang? how do you define a gang? is the
gang even doing something harmful today?" problem that comes with the term
"phishing". While this is much better than them claiming to block "spam"
(which I will claim has so nebulous of a definition as to be meaningless),
this is still a slightly ambiguous classification of any given communication
due to how it interacts with trademark law.

Regardless, now that they have shown that they are interested in modifying the
behavior of their platform to stop "using the Cloudflare platform for evil" (a
direct quote from their blog post), clearly they now also should be using
similar techniques to stop people from sending email about drug paraphernalia,
and they should stop people from sending email with hate speech, and they
should stop sending email about terrorism. _They also should, of course, stop
people from sending email about software piracy, or sending email about
services designed to undermine copyright like SciHub, or sending email
advertising "obscene" pornography._

They have now shown both the ability to do this and an interest in doing this,
which is exactly what they recently demonstrated with the Daily Stormer SNAFU,
where they showed the ability and interest to block use of their service "for
evil"; in that case, the people were "Nazis", which may or may not be more
clear cut than "phishers", but the scenario is essentially the same... and
they are now having to backpedal their actions in court as this is being used
as evidence for why they should be responsible for blocking piracy on their
platform. The reality is that once you show an ability and an interest in
policing content, what kinds of content you are forced to police will be taken
from you and given to the state.

[https://torrentfreak.com/daily-stormer-termination-haunts-
cl...](https://torrentfreak.com/daily-stormer-termination-haunts-cloudflare-
in-online-piracy-case-170929/)

Cloudflare's decision today is going to be devastating not only for them, but
for the Internet as a whole (as usual :/).

~~~
vr46
I use Cloudflare and life is wonderful. This is a good writeup of a cool
strategy and while I understand the fears of my fellow posters - and point out
the fear-mongering too - we could just take them at their word and see this as
a positive step in the fight against evil.

The Daily Stormer army deserves little sympathy, and using them to invoke a
slippery slope argument full of straw men is somewhat sloppy and escalates
this discussion to a place where criminal actors are victims and a company
trying to do something good is told they're lackeys of a police state.

Geez, cut them some slack.

~~~
saurik
> The Daily Stormer army deserves little sympathy, and using them to invoke a
> slippery slope argument full of straw men is somewhat sloppy and escalates
> this discussion to a place where criminal actors are victims and a company
> trying to do something good is told they're lackeys of a police state.

I agree that The Daily Stormer deserves no sympathy, and will note I did not
apologize for them (I even chose to call them "Nazis" instead of "neo-Nazis"
or "alt-right": let's call a spade a spade, after all).

However, I also did not make a theoretical argument to which you can try to
play your dismissive cards of "slippery slope" or "straw man": in fact, I
pointed to an ongoing case playing out _right now, in court_.

[https://www.digitalmusicnews.com/2017/10/11/cloudflare-
ceo-n...](https://www.digitalmusicnews.com/2017/10/11/cloudflare-ceo-neo-nazi-
piracy/)

> If Cloudflare Can Block Neo-Nazi Sites, Why Can’t They Block Piracy Sites?

> In a recent filing, lawyers for the adult entertainment company demanded a
> 7-hour deposition. Using Prince’s own words against him, ALS Scan wrote,

> “By his own admissions, Mr. Prince’s decision to terminate certain users’
> accounts was ‘arbitrary,’ the result of him waking up ‘in a bad mood,’ and a
> decision he made unilaterally as ‘CEO of a major Internet infrastructure
> corporation’.

> “Mr. Prince has made it clear that he is the one who determines the
> circumstances under which Cloudflare will terminate a user’s account.”

The reality is exactly as I claim it to be, and the stakes are just as high as
I argue. If you disagree, I implore you to respond to the evidence, not simply
dismiss the argument out of hand.

~~~
vr46
Fair enough.

Clumsy handling by Mr Prince - and certainly suggests that we need more due
process everywhere - but an emotive issue that most people could sympathize
with.

The company has basically decided that Nazis don't get service but porn-
pirates do. It's not very black and white, though. Morally, it's a minefield.
"Porn producers pissed-off at pirates not being given the same treatment as
Nazis"

I bow to your observations, but I'm not convinced that the stakes are as high
as you argue...

------
badrabbit
If a mail client does not support dmarc,or happens to move reject policy
emails to junk (as opposed to not delivering at all). And the user loses all
their money to a phishing campaign,would cloudflare be held responsible?

I get the intent but in these situations,no solution is better than a half-
cooked solution. If I happened to be a victim in my hypothetical scenario
above,sure I would get pissed at my (web)mail client,but also at cloudflare
for not terminating the phisher's service when they were so sure of the
malicious content hosted they went as far as sabotaging dmarc records.

From a more practical point of view,most phishing campaings like to use
compromised websites or email accounts to send the email. Now the email itself
will typically have a link to some nasty site or an attachment that eventually
ends up "dropping" a second stage malware from some other nasty site. So, if
these nasty sites sit behind Cloudflare,how does it make sense to not hold
Cloudlfare responsible? Historically,their defense was "we are just the
network transport provider". But what now? They can sabotage dmarc records but
not A records? Their legal team must either be sleeping on the job or so good
that an obvious liability like this isn't seen as a business risk.

~~~
matt4077
> If a mail client does not support dmarc,or happens to move reject policy
> emails to junk (as opposed to not delivering at all). And the user loses all
> their money to a phishing campaign,would cloudflare be held responsible?

No.

This argument is based on a long-outdated understanding of the law. Section
230 of the Communications Decency Act extends immunity even to services
exercising editorial control over content.

See Zeran v. AOL:

 _[L]awsuits seeking to hold a service liable for its exercise of a publisher
's traditional editorial functions – such as deciding whether to publish,
withdraw, postpone or alter content – are barred. The purpose of this
statutory immunity is not difficult to discern. Congress recognized the threat
that tort-based lawsuits pose to freedom of speech in the new and burgeoning
Internet medium. [...] Section 230 was enacted, in part, to maintain the
robust nature of Internet communication [...] ."_

 _" Congress' clear objective in passing §230 of the CDA was to encourage the
development of technologies, procedures and techniques by which objectionable
material could be blocked or deleted."[5] Since distributor liability would
have the effect of disincentivizing the filtering of content by third parties,
the court found that such laws were in conflict with the "purpose and
objectives of congress," and were thus preempted_

~~~
badrabbit
Correct me if I am wrong wouldn't this position Cloudflare as a "Publisher" of
the content? Forget about holding it liable for censoring content(email via
dmarc p=reject;),but as a publisher is it not liable for the nature of the
content it publishes?

I understand that you can't hold Cloudflare liable just because it's customers
hosted illegal or damaging content. But isn't a "publisher" liable for content
take-down after an abuse notice? If they can't be sued under civil law,can't
they be prosecuted under criminal law?

[https://en.m.wikipedia.org/wiki/Aiding_and_abetting](https://en.m.wikipedia.org/wiki/Aiding_and_abetting)

Section two title 18:

> (b) Whoever willfully causes an act to be done which if directly performed
> by him or another would be an offense against the United States, is
> punishable as a principal.

------
cypherpunks01
I don't understand why it's better to surreptitiously alter records for ToS
violators rather than simply close their accounts altogether. Seems like the
definition of a slippery slope.

~~~
mox1
Because evidence has shown when you waste the time of people doing this, they
move on. If you instantly ban them, its easy to spot, easy to automate and
doesn't really solve the problem.

[https://en.wikipedia.org/wiki/Stealth_banning](https://en.wikipedia.org/wiki/Stealth_banning)

~~~
Chaebixi
> Because evidence has shown when you waste the time of people doing this,
> they move on.

I'm not convinced of this. At best, shadow-banning wastes a little bit of
their time and delays slightly their inevitable creation of a new account.

> If you instantly ban them, its easy to spot, easy to automate and doesn't
> really solve the problem.

Shadowbanning only really works for unsophisticated users. If you know it's a
possibility, it's easy to check for (just create another account and check
with it). Phisher's are probably going to be fairly sophisticated, since
they're working to make a profit, not to only disrupt or push a POV.

~~~
mox1
Correct this will not stop "sophisticated" users. The whole goal of this
system is to cause bad actors to dedicate more resources to using your
platform and add a shadow of doubt. Spammers, etc. all want a cheap easy
payday, that's the entire point (money for minimal time).

I run a service that spammers and pfishers love. I started by banning these
people (and sending them an e-mail letting them know why). They didn't stop,
they just grabbed another free e-mail and continued. Now I quietly just delete
the data they submit and never ban accounts. I let them submit data, tell them
its accepted, then some time later (1-120 seconds) just delete the data. Their
account still works, they just can't do much with it. Once the system became
unreliable for them, they just moved on to something else.

~~~
Chaebixi
> Spammers, etc. all want a cheap easy payday, that's the entire point (money
> for minimal time).

I'm under the impression that spamming isn't as easy as it once was, and a
fair amount of effort needs to be devoted to bypassing spam/abuse detection
and blocks, which is exactly what a shadowban is.

> Once the system became unreliable for them, they just moved on to something
> else.

I would imagine that would depend on if there are equivalent services that the
spammer could more easily migrate to. It sounds like they didn't move on from
spamming, just from your service. Switching to drop in replacement would
definitely be easier than writing a shadowban detector.

I'm just disputing that shadowbanning is a more effective solution than
straight bans. It's just not that much harder to detect.

------
ISL
Is this equivalent to hell-banning censorship by an infrastructure layer?

I understand the positive intent, but it feels wrong to have email content
altered by infrastructure layers. A slippery-slope argument may apply.

~~~
durkie
it also seems like it could be easily technically circumvented: put an email
address to which you have access on your phishing lists. see if it gets the
mail as expected.

~~~
tomschlick
Solution: stop using CF services for phishing which is exactly what CF wants
them to do

