This same thing happens with CloudFlare & is being actively exploited. We reported it to them within the last two weeks and we were told that it's expected behaviour and that they weren't going to do anything about it.
I asked them to, at the absolute least, send an email notification to the prior-CloudFlare owner letting them know that the domain "your CF account used to control is now being controlled by a new CF account". Better yet, implement a domain ownership validation scheme.
They told us that they wouldn't be making any changes.
FWIW, on CloudFlare what happened to us was: we were moving registrars for ~100 domains, from GoDaddy to Route53. During this transition, the NS for the domains temporarily became blank; at this point CF automatically removed the domains from our CF account. The NS were then re-added to the domains on the Route53 side (<4 hours of 'no nameserver' time).
Apparently there are people out there that are looking for domains that are pointed to CF and then attempting to add them to their own CF account (automated I'm sure) -- which CF lets them do without any verification once they've been auto-removed from your [the original CF account] account.
Interestingly, the original account must be still stored in their system with the domain because we were able to re-add the domain to our original CF account without any verification; effectively "stealing the domains back" to our CF account, away from the thieve's CF account.
In this case, the "attackers" (perhaps more appropriate, I call them 'malicious actors') were able to commandeer ~100 of our domains for ~2 months, for free; they redirected them to Russian websites, torrent sites, affiliate sites, etc.
Again, this is being actively exploited on CloudFlare, at the direct expense of CF customers -- but, according to CF, it's not an issue...?!
According to CloudFlare, they are are a reverse proxy, and they are not responsible for anything. This has been their response to every issue that I've tried to bring up with them over any channel, including here on HN.
It seems that this is getting downvoted, and I want to explain why I agree with the downvotes:
The policy on that web page has two egregious issues.
1) It does not have any provisions for SPAM. I regularly get e-mail SPAM that has CloudFlare-protected links. That abuse page does not even apply. Effectively, CloudFlare offers spammers a 'pink contract'.
2) CloudFlare has a reputation for ignoring abuse, and that page effectively says nothing about whether abuse will be stopped; that page only offers to transmit the personal information of someone who reports abuse off to an abuser. This is not a theoretical; this has happened in the past, and the personal information of someone who reported a site that contained child pornography was then posted all over the net for its users to begin harassment with.
So if you find something abusive or malicious, your best bet really is not to report it. CloudFlare won't act, other than to put you at risk.
For what it's worth, in the support ticket exchange I did indeed offer to submit details of the attack vector along with proof that it's currently being actively exploited, for financial gain & at the direct expense of your customers.
I was basically told "you will be wasting your time"...
I don't care whether it's reviewed by a human or not, the fact remains that CloudFlare does not act on abuse reports because they claim "reverse proxy = not responsible" in every abuse report I've sent them even on matters that do not pertain to their reverse proxy functionality at all.
They just don't want to be responsible, and unlike any other large network service provider that I sent abuse reports to, they just try and deflect and keep servicing spamming and phishing operations instead of booting them from their systems.
I work at CloudFlare, not in DNS or on this code, and have mentioned this incident in the all-company chat. There is a healthy conversation happening there and it turns out a fix was already in the works for the underlying issue.
adanto6840 has supplied the support ticket number (thank you), and this specific incident is also being reviewed.
I asked them to, at the absolute least, send an email notification to the prior-CloudFlare owner letting them know that the domain "your CF account used to control is now being controlled by a new CF account". Better yet, implement a domain ownership validation scheme.
They told us that they wouldn't be making any changes.
FWIW, on CloudFlare what happened to us was: we were moving registrars for ~100 domains, from GoDaddy to Route53. During this transition, the NS for the domains temporarily became blank; at this point CF automatically removed the domains from our CF account. The NS were then re-added to the domains on the Route53 side (<4 hours of 'no nameserver' time).
Apparently there are people out there that are looking for domains that are pointed to CF and then attempting to add them to their own CF account (automated I'm sure) -- which CF lets them do without any verification once they've been auto-removed from your [the original CF account] account.
Interestingly, the original account must be still stored in their system with the domain because we were able to re-add the domain to our original CF account without any verification; effectively "stealing the domains back" to our CF account, away from the thieve's CF account.
In this case, the "attackers" (perhaps more appropriate, I call them 'malicious actors') were able to commandeer ~100 of our domains for ~2 months, for free; they redirected them to Russian websites, torrent sites, affiliate sites, etc.
Again, this is being actively exploited on CloudFlare, at the direct expense of CF customers -- but, according to CF, it's not an issue...?!