Hacker News new | past | comments | ask | show | jobs | submit login
Ask HN: Has Cloudflare blocked your domain without explaining what's going on?
335 points by malikNF on May 31, 2022 | hide | past | favorite | 192 comments
I had transferred the domain from Namescheap to cloudflare because I had heard good things about them on here. Everything was working well (Mainly use this domain for my personal emails) and now nothing is working no warnings, nothing.

I contact cloudflare support and they transfer me over to their "Trust & Safety" team.

This is the response I get.

------

` Hello,

Your account violated our terms of service specifically fraud. The suspension is permanent and we will not be making changes on our end.

Regards, Cloudflare Trust & Safety `

-----

What the heck is that supposed to even mean? Has anyone else had any way to deal with this sort of issue? Anyone from cf lurking here who can help me please? This is my personal domain and a lot of my other accounts are attached to this. Like what am I even supposed to do here ?




Update: Just received an email from CF.

--------------

Hello,

With regard to your inquiry, we have restored the domain names in your account to active status. Please allow for normal propagation. You will need to re-add mnf90.com to your account in order to manage it. Our apologies for any inconvenience this may have caused.

Kind Regards, Cloudflare Trust & Safety

------------

Not much info lol, but guess its fixed now?

Thanks HN for up-voting my post and helping me get the attention of CF. Time to go figure-out how not to get in to this situation again, and a way to mitigate this incase the AI gets angry again. Funniest thing about this is, I wanted my own email because I was afraid of this scenario, getting locked out of everything, what happens if big G or M decide to close my account down?

Again, thanks HN. Really appreciate you folks for helping me get the attention.


You keep framing this as "how do I make sure I don't get into this situation again," but with the attention this is getting (#6 on HN) and just how bad the issue is (both functionally and PR-wise)... Cloudflare should really do a public post-mortem here. It sounds like it's their fault.


I also want to see a Cloudflare post-mortem here. All of my domains are with them. The worse part of OP's story is that they even prevented him from moving the domains to another registar. So if this happens to any of us we're completely locked out of our email.


Which violates their registrar agreements:

> Registered Name Holders must be able to transfer their domain name registrations between Registrars

(Note that sections 3.7-3.9 do allow registrars to deny transfers, f.e. given "evidence of fraud", but given that they reinstated the domains I doubt they have evidence of fraud.)

https://www.icann.org/resources/pages/transfer-policy-2016-0...


Why does a private corporation get to unilaterally decide something is fraud and seize someone's property? Is this what ownership is supposed to be like?


You never "own" a domain. You just rent it from a registrar, who had permission from ICANN to let you rent it. There is no "good" that you can take with you when you give a registrar money for a domain.


The only way to 'solve' this problem is to be an ICANN accredited registrar by yourself as an individual on an individual basis.

Edit:- Then the problem comes from registry. So, along with being a registrar, that individual will need to become a registry recognized by ICANN


Another way to solve it is by switching to a bloclchain based registry like IPFS or nameCoin.


>There is no "good" that you can take with you when you give a registrar money for a domain.

Ah, cant wait until you understand the nature of money itself ;)


But they ('re automated system or through mistake or whatever) thought they did have evidence of fraud right, so that's consistent?


Perhaps I wasn't clear.. I mean that they sent some vague email saying it they'd detected fraud, and took other 'we've found fraud' actions (it was a false positive yes, but beside my point) - so it would be weird if they then acted like they couldn't take registrar actions that they could only take if the reason was fraud.

The behaviour was wrong and concerning yes, but it seems internally consistent, all along the 'fraud' path.


> prevented him from moving the domains to another registar

That sounds like theft to me


Theft/fraud/etc only applies to individuals. When big companies do it it's business as usual.


You can't transfer domains more than once every 60 days...so if he transferred within the last 60 no place would let him transfer out


It’s not clear if he move the registration to Cloudflare, or just the name server.

There’s a case for not having your registrar also host your DNS records.


Sorry, if my post wasn't clear. What I meant by mitigating this issue is, I am going to start looking in to other providers and escape routes if I anger the all mighty AI again.

I too am really interested in figuring out why I(free) and my clients(paid subscriptions) will trust cloudflare. Mistakes happen, but I can't even imagine my situation if HN didn't come to my aid.


Yeah, I agree it's totally valid to want to avoid the AI ban hammer. I find myself doing it too - e.g. paying cash at stores I would normally never go to, for fear Mastercard thinks it's fraud. I was just saying that it's an egregious enough error that in your shoes I'd be a lot more upset with CF.


The irony in paying cash instead of using your card is that you're likely training their model to be more likely to flag transactions as fraudulent.

This sort of stuff is why explainable AI is IMO important. Assuming the CSR could see _why_ the original domain was flagged by the model as fraud, they could respond in a meaningful way, other than just requiring the OP to go and find someone with more authority than the machine to override the decision.

Unfortunately in these types of situations, getting a satisfying explanation of why something happened is incredibly rare - my understanding is that it's usually at best an educated guess.


How do we get them to post a follow-up or post-mortem? I get that it might be difficult to discuss a specific case involving a customer, but there’s something seriously wrong when they first refuse to share details and claim they will not be reconsidering the decision, only to later do exactly that after the case gets attention. That’s an inexcusable procedural error that should be very worrying to any of their customers.


This happens all the time. Not sure you can expect a post-mortem on this one specific case


"This" being people being locked out of their critical infrastructure through no fault of their own and with no recourse but to hope for the HN effect?

Yeah I love the future we all live in... :|


Update 2:

-----------------------------

Helo,

To clarify the issue, this account was identified in a recent fraud review, however it appears to have been a false positive. We have left a note in this account for future reference.

Kind Regards, Cloudflare Trust & Safety


That's really quite worrying. You'd have been screwed without HN, but not everyone has that recourse. How many other domains have been affected by "false positives" announced with a "we've banned you and we aren't telling you why; now fuck off" type email.


Not to mention the "don't worry, we've put a sticky note on this account so it won't happen again (to you)" instead of an "oh shit, we need to immediately stop and fix this automated process that is catching legitimate customers and banning them with no recourse."


Very worrying. One of the reasons I'd choose a non-huge company like Cloudflare would be I'm less likely to encounter one of these "our automation banned you, we won't tell you why, fuck off" episodes. Looks like more and more companies are cargo-culting this horrible practice.

Waiting for my utility company to turn off my heat: "Your house is fraud. We won't tell you how we know. Fuck off and freeze."


Cloudflare is by no means a "non-huge company" - don't they route/cdn like 1/4 of the entire internet?

going with cloudflare is a choice towards centralization.


I read it as

> non-(huge company like Cloudflare)

not

> (non-huge company) like Cloudflare


> one of these "our automation banned you, we won't tell you why, fuck off" episodes

More like "We can't tell you because it's AI and the (AI) won't tell us why it made that decision".


I agree 100%. And yes, without HN I will be really screwed.


I am really curious about this. How screwed is this? Can you move your domain out, if you want to?


Cloudflare marked my domain as PENDING DELETE. So from what I have read in the past few mins my only option was to buy the domain the moment it gets released through another registrar and hope no one else snatches it. So yeh, VERY screwed.


WOW. This sounds extremely bad.

I started using a personal domain just for email to avoid Google AI kind of screwups, I didn’t know a domain name can have this kind of screwups. I am using a traditional domain hosting company now, definitely not going to use this kind of new tech company to handle the most critical thing.


"fraud review". That's intentionally vague, especially considering how often they simply ignore complaints about clear and unambiguous phishing sites they host.


》it appears to have been a false positive

That's a scary answer. Guess I'll put only mirror/backup domains behind CF in the future.


'behind CF' isn't the problem, if I understand you correctly, it's that in OP's case CF was the registrar.


When I reported fraudulent activity (attacks on enterprise accounts) from CF IPs they told me to f*ck off, their customers know what they're doing. Wondering what it takes to ban someone on CF.


Denying abuse and aggressively policing for it are both ways of achieving the same thing, that is, minimising liability


> The suspension is permanent and we will not be making changes on our end.

"J/K LOL"


If you live in the EU the article 15 of the GDPR grants you the right to ask about the details. Often companies reply that they don't need to answer because of ¨security¨ but this is not true. You can in detail ask about ALL personal data that was used as an input for this decision, information about the ¨automated decision-making¨ (algorithm), and all personal data that resulted out of this process. https://gdpr.eu/article-15-right-of-access/

If any of this data is false you have the right to rectification. https://gdpr.eu/article-16-right-to-rectification/


> You can in detail ask about ALL personal data that was used as an input for this decision, information about the ¨automated decision-making¨ (algorithm), and all personal data that resulted out of this process. https://gdpr.eu/article-15-right-of-access/

That is only true in specific cases of processing, as detailed by article 22: "a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her".

In the case of a domain name used for email I think you could legitimately argue that the decision "significantly affected" you, but it's kind of undefined so far what the bar is for this criterion.


In this case cloudflare has produced a legal effect with putting the domain into pending delete because this is an ownership transfer back to the registrar (of a property they don't even own, so stupid...).

For me deleting my domain would be far worse than deleting my telephone number and significantly affect me. But yes, this is a case by case decision.

I just wanted to say something like: You have rights. Don't be afraid to use them. These companies are not above the law.


> a decision based solely on automated processing,

"this account was identified in a recent fraud review, however it appears to have been a false positive"

> which produces legal effects

Deprivation of property.


I suspect the workaround on the side of the companies doing this is to include human review (or appeals) to ensure the decision is no longer based "solely on automated processing".

Even if not intended, a reviewer that sees mostly true positives is very likely to become a blind rubber stamp.


Good point. But even if they (any of those corps running algorithms but no customer support worth the name) comply (which I won't take for granted), you will get some code or keyword that fraudulent activity was detected. Very unlikely that they have technical details of the root cause in their customer DB.


I don't think so. I have not worked on many fraud detection systems but in all cases there was a very detailed record in the logs of what happened and how the decision came to be. In addition, if there was a human review additional data is often generated. You can't just flip a bit in the customer record, or can you? (Edit: And if no information is in the logs I would argue that all information is in the input data and fraud detecting algorithm and thus the algorithm itself gets part of the data. Whatever happened, if the action can not be "replicated" / understood with the data you got after the article 15 request the data is not complete.)

Since the domain and account belongs to you as a person, this is all personal information under GDPR.


I've done this with Instagram in the past, and funnily.. after a few emails back and forth.. they just reinstated my account..? and told me to download my data the normal way.


Well, I'd hope affected users could submit (reasonably anomymized versions) of what they got to HN in the future, so we can stop speculating.


While thinking about it I found an interesting fact: If they don't produce the data that lead to the account ban because they they "don't have it", they don't actually have proof of fraud anymore. If they don't have proof of fraud you can invoke GDPR article 16 "Right to rectification" and "unfraud" your account. Theoretically they can't argue against it because they don't have any data to argue with...

If they don't unfraud you AND don't produce the data they are not in compliance of either article 15 or article 16 and have delivered the proof noncompliance themselves.


Did you know that you're using umlauts instead of double-quotes? It looks a bit strange.


FWIW I also had a recent experience with Cloudflare "Trust & Safety" and it was my first negative Cloudflare experience, unfortunately.

A client-of-a-client had their site reported to CF for malware distribution via Netcraft. I reviewed the site and found nothing unsual-looking. I dug out a month's worth of access logs for the site, carefully filtered them, and then eyeballed all of the tens of thousands of remaining lines, and again, nothing unusual. No sign whatsoever that the site had ever distributed any malware.

There were signs that the site had been probed a number of times by one or a few bad actors, a bit more than just the usual background scanning. Best guess was that, having failed to take the site down through direct means, somebody filed some fraudulent reports against it.

DigitalOcean also received a report on the site, and that's where the difference in handling the issue really became apparent. I sent essentially the same response to both DO and CF. DO sent back a quick, "thanks for taking a look at it, we're not going to take any action at this time, have a nice day" response.

Cloudflare on the other hand pre-emptively took the site down and then took a while to reply at all. When they did, the reply was extremely opaque: "this report has been processed". Like, okay... and?

I had by that time already routed the site off of Cloudflare and had it back online, so the impact was minimal, but now that I know what it's like to deal with this category of issue at Cloudflare, I have to ensure that it's always easy to take anything off of Cloudflare. I love Cloudflare generally, so this is really disappointing.


My only interaction with cloudflare's "Trust and Safety" team involved reporting a site using their services, and that site hosted a large archive of child pornography [1], for which I provided a sizable chunk of evidence, which would have let them easily verify my claim.

All I got back was a canned response that cloudflare is not actually hosting anything and cannot do anything and will forward my complaint to the ISP that really hosts the website.

Replying back to that email, asking whether they couldn't at least close the cloudflare account in question, I was greeted with exactly the same canned response again.

Responses form law enforcement I tried were also rather underwhelming, but that isn't cloudflare's fault.

This was a while ago, and it all was rather discouraging. And I can only hope they got their act together now...

But I guess not. I just checked, and the site is online again, under the same domain, and using cloudflare again. I'll report them again now, I think.

[1] Including a lot of the child porn this UK blackmailer had traded and sold: https://www.bbc.com/news/uk-england-birmingham-59614734 The site I reported was re-selling the stuff for crypto or gift cards, with a lot of free samples.

Now you may wonder why in hell I would even know about any of this. I used to be a small time moderator on a small time website where some of our users shared some of the content/links to the content.


Maybe report through the IWF? https://www.iwf.org.uk/about-us/how-we-assess-and-remove-con...

Cloudflare apparently signed up as a member in August of 2021: https://www.iwf.org.uk/membership/our-members/cloudflare/


Good suggestion. Filed a report with them as well now.

Cloudflare in the meantime gave me another canned response, saying they aren't hosting anything, etc, but at least this time they also included this:

> This email is to confirm that your abuse report to Cloudflare has been received and will be processed shortly.


I don't understand why it's so hard for companies to discriminate between sites like your example and sites like my example.

This part of hosting actually worked better back when we were all using GoDaddy and Bluehost and the like.


If they didn't give a crap about CP, what the heck did they think OP did?


Isn’t CloudFlare’s whole schtick about keeping you online? Requiring you to deploy technical means to deal with your domain name being automatically thrown under a bus by their AI seems like the exact opposite of what I’m looking for.

Does this only affect free accounts? Do you at least get an account manager for escalation if you pay?

Honestly, this whole thing of scaling service abuse handling through AI is a dumpster fire.


His account was free but had many paying client accounts as well.


>I have to ensure that it's always easy to take anything off of Cloudflare. I love Cloudflare generally, so this is really disappointing.

This line pretty much echos my attitude to cf going forward. Come to think of it, not just CF guess its going to apply to every company I deal with going forward. Although it sounds good in theory, wonder how hard it is going to be to apply this on every situation I rely on a 3rd party company.


Yeah. CF and kin provide a lot of advantages for cheap, but they are also big consolidations of infrastructure. There are more companies than ever before that can carelessly ruin your day, and they all have more customers than they can handle, and none of them want to staff a support team.

You can burn a lot of productivity trying to make everything completely fail-safe. Building stuff out of today's technology requires deciding which companies you're willing to gamble on and accepting that eventually the odds will catch you.


Huge thanks for taking the time to post this. I am working with clients who are disrupting Chinese imports for things more easily made here, and the number one concern is bad actors using any easily available digital means to interrupt operations. DO sounds like the way to go.


I can’t believe how lightheartedly you are taking this. (edit: I guess your initial reaction when the domain was reinstated was probably a bit of euphoria).

This faceless corporation simply took away your property without explanation or warning, and didn’t even feel any obligation to explain why.

For many people the consequences might have been losing their own or even their family’s source of income.

Their behavior was despicable and callous.

When did these tech companies start thinking they were all-powerful and above the law like this?


> I can’t believe how lightheartedly you are taking this.

What is the alternative though?

The web has turned in to this massive mess where most of us don't have the ability to do anything without having to rely on some ban happy mega corp.

Even something that was built to be decentralized like email has turned in to a (sort of) centralized architecture, try hosting your own email, everything goes in to spam.

Host a website and piss off some kid with $5 to spare, you get ddosed.

The web is owned by the big corps, as long as everyone of us come together and fix this it will be a very long time (if ever) before we have a truly decentralized internet.

So yeh, the only option I have is to take this lightheartedly and move on.


> What is the alternative though?

> The web has turned in to this massive mess where most of us don't have the ability to do anything without having to rely on some ban happy mega corp.

That's absolutely not true. You're drinking the HN/startup koolaid if you think everything should be on CloudFlare/AWS/Google/Microsoft/etc and there's no other way. Obviously VCs would love for you to think that but it doesn't make it true.

Domain registrars are plentiful. Dedicated server providers are plentiful. Hell, "shared hosting" is still a thing and may be perfectly appropriate if all you need is a static site.

Pick a mid-sized company whose objective is to deliver great service rather than one whose objective is either "growth and engagement" or to monopolize the internet. Ideally pick one within your jurisdiction so that you have more recourse if things go wrong.


Agree your point. But I think Microsoft doesn’t belong to this group. I never read an auto ban story from Microsoft. And my experience is that you can talk to a human customer service from Microsoft.


There was just an article on HN 2 days ago[1], with duplicates, about Microsoft opaquely locking Minecraft users out of their accounts, with little in the way of acceptable recourse (give Microsoft your phone number and pray).

1: https://news.ycombinator.com/item?id=31551846


I signed up for an email address once, then they locked my account requiring a phone number because of "suspicious activity", where obviously the only suspicious activity was that they didn't have my phone number.


Don't run to another big corp for safety. Go small maybe medium.


I have a cheap VPS, host my own email, host my own websites, never had any of the problems you are describing.


I too host my sites manually. What happens when your site that's hosted on the VPS gets noticed by a trigger happy skiddie? What happens when they start eating up all your bandwidth? Your VPS provider will be more than happy to null route you.

For the websites you own, you registered your domain with someone right? What happens when that company decides to have some AI decide if you are doing something illegal?

Until today I "never had" any of these issues as well, the main issue here is we have to rely on large companies (or small companies for that matter tbh) to do "the right thing", and we don't have many options to solve it. I got super lucky some folks browsing HN decided to get my post some attention.


> Your VPS provider will be more than happy to null route you.

That is a lot better than deleting your domain and refusing to talk to you. If you need more bandwidth your VPS host will be more than happy to take your money. And short downtimes are not really much of a problem for personal websites and email. Losing your domain name is a much bigger concern.

> For the websites you own, you registered your domain with someone right? What happens when that company decides to have some AI decide if you are doing something illegal?

Has that EVER happened with any registrar that is not also handling other things like hosting or CDN for you? With just the domain all they could base their "AI" on would be the domain itself unless they go actively prodding third-party servers.


I’m trying to understand the point of this anecdote. Plenty of people who use Cloudflare could post the same comment. And there are plenty of self hosting horror stories involving smaller solutions.

On the topic of hosting email specifically, I thought it was pretty universally accepted as a tricky prospect. It’s possible to get right, yes, but tricky nonetheless.


It would never happen in a real enterprise like AWS. Cloud flare is small potatoes compared to Amazon.


> The suspension is permanent and we will not be making changes on our end.

Someone else in this thread explained this as "they're flat up holding it hostage until it's publicly available for anyone to register."

I will not do business with companies whose word is final, with no explanation and no recourse whatsoever, unless you shout loud enough that someone higher up the org tree decides to figure out what has happened. Especially when the decision actually comes from a fallible, subpar automated system. Fuck that dystopia. Shameful behaviour, Cloudflare.


Same here. Domains are the only thing I can't replicate or make redundant. If there is ANY risk of me getting locked out of my domains without even the possibility of transferring the domain away to another registrar, then I'm gone.

Bye, cloudflare.


If I had to guess, the OP's payment method is specifically what got flagged, resulting in the domain being blocked.

See https://community.cloudflare.com/t/domain-not-working-after-... where someone who appears to the be OP mentioned that CloudFlare auto-refunded some charges.

CloudFlare should still post a public postmortem as to how this user got wrongly flagged (excluding any personal info). The OP has already consented to this: https://news.ycombinator.com/item?id=31574656


Yep, that's me. It's linked to my personal credit card from RBC bank Canada which I pretty much use for everything else. Haven't seen anything from my banks as well. I just see the refund in my account.

Lets hope cf would tell us what exactly happened and why they were so aggressive and why there was no warning to let their customers prepare before they decided to do this.


Wow, that's terrible. Thank you for the heads up. Just transferred my domains back to namecheap.

While we're all here venting about Cloudflare, is anyone else frustrated about how they lure you in to their CDN product with "free" bandwidth, but then lock behind so many useful features arbitrarily behind what I can only imagine is a thousands of dollars per month enterprise plan? Just look at their cache-purging page for an example of this, everything other than basic purge by URL is enterprise only: https://developers.cloudflare.com/cache/how-to/purge-cache/

These days Cloudflare is literally my last choice for a CDN for my new projects, and I try to warn against others considering using it. My new go-to is bunny.net, who charges a reasonable usage-based fee for bandwidth and gives you unfettered access to all the features they've built. Though I'd even reach for Cloudfront with their expensive bandwidth costs these days, because at least their pricing is transparent and scales smoothly with usage, and they don't arbitrarily cut you off from useful features.

Even their bandwidth might not really be "free", since I've heard if you actually use any significant amount, the sales people will come knocking on your door to coerce you to get on the same enterprise plan or have your site taken down.


Have you seen this thread? https://news.ycombinator.com/item?id=30506581


Nope, thanks for bringing it to my attention. Though not sure who to trust at this point haha...

Anyone have other recommendations for where I should keep my domains?


I picked Porkbun from other threads on this topic. You can search "registrar" on hn.algolia to see yourself, but tbh I never really found a single _consensus_ opinion.


Gandi.net has always lived up to their (literally) no-bullshit reputation for me, and I've pretty much only heard good things about them as a registrar.


I used to have all my domains with Gandi.net One time, they had a billing issue with me. I disputed with my credit card company and got refund. So Gandi.net locked my entire account and none of the sites worked until I paid $10 they charged for disputing "their" billing issue. Only after paying $10 ransom, my account was restored. I promptly moved ALL the domains to porkbun. I also paid for 10 year renewal for my personal website, so someone from porkbun actually called me on the phone to confirm that it was not a mistake on my part and I truly intended to renew my personal website for 10 years. I have been happy with porkbun and would recommend them. Yes, humans at porkbun do manually reply to the emails and answer the phones.


> I also paid for 10 year renewal for my personal website, so someone from porkbun actually called me on the phone to confirm that it was not a mistake on my part and I truly intended to renew my personal website for 10 years.

That would annoy me - I should not have to bother with phone calls for something as sensible as making sure a domain I care about stays under my control for as long as possible. That is unless that was a vanity gTLD with particularly high renewal fees.


Hello, I'm the Head of Trust & Safety. Please forward me the email? This is very likely legitimate and from our team, but I'd like to confirm. justin@ cloudflare.com


I recently transferred my domains from Google to Cloudflare precisely to avoid being terminated by Google's false-positive AI. Now Cloudflare is pulling the same stunt? Is there anything you can say to reassure your customers? Or do we need to find another registrar?


I don't know they recently started allowing to use any nameserver apart from cloudflare nameservers after transferring the domain. This vendor lock is what prevented me from using Cloudflare, but it turns out there is another reason, reading OP's text.

For domain name registration, I tend to trust smaller players. They tend to not run bullshit AI to suspend customers, and are small enough to be able to spend at least a minute reviewing any flagged user accounts.


This mirrors my strategy personally and professionally. I’ve dealt with CF Trust and Safety before, and they are hands down the most opaque organization I’ve ever dealt with. It’s almost like they take pleasure in being withholding, far beyond anything I’ve ever seen from a “trust and safety” team anywhere else.


Hey, Justin... Perhaps you can explain why this happened in the first place while also explaining why you ignore complaints about tons of spammers and scammers that are hosted(note) on your platform?

(note) hosting is providing services on the Internet without which a site / domain won't work, so please don't try to pretend you don't host because you've decided to redefine "hosting".


proxy =/= hosting

understand the tech, there is no redefinition going on


Cloudflare does lots of hosting too.


It’s very disappointing to see the same old big tech false positive “no appeals” failure from Cloudflare. I’m extremely bullish on Cloudflare because I think the way Pages/Functions work with framework adapters is a compelling solution.

Why can’t anyone come up with a solution that keeps this kind of thing from happening? How much does it cost to phone someone before potentially ruining their life and why can’t we simply pay money for that option?


If malikNF consents, would you share your findings here? It's concerning you can be banned without so much as a brief sentence explaining why.


I just forwarded the email to them. I will update what happens once its sorted out. I am hoping this is a mistake on my end, because it would suck so much to move all the stuff from cf, this is pretty much the ONLY issue I have had with them in the last 6ish years of using and recommending them to everyone.


If anyone from CF wants to explain what happened, I give my consent to disclose what exactly went wrong. Provided no personal info is posted.


Didn’t they get exactly a “brief sentence explaining why” in:

> Your account violated our terms of service specifically fraud


That's not really an explanation. An explanation would be something like, "we discovered that you (lied about your identity/used your website to organize or commit criminal activity/etcetc.) - literally anything that gives the user enough context to figure out if this was an accident or a misunderstanding and defend themselves.


This was a false positive that was upheld through at least one round of human review.

That is incredibly concerning for your existing customers. Is there anything that legitimate users can do to premptively verify their accounts so that they atleast can't get taken down without human review?


This is terrifying, as I've transferred my domains to you some time ago.


Justin, is there any plans to change the awful T&S processes Cloudflare has? This thread is full of issues and I experienced something similar, except I got told to email my credit card info to support: https://socialism.tools/why-i-ditched-cloudflare-and-you-sho...


Will do. Thank you.


I know this sounds very cynical, but there's something funny about a company doing this automated trust and safety with zero recourse spiel while being entirely okay with hosting sites where people are bullied into suicide because we can't just deny service to technically legal websites as a pseudo public utility.

Pick a lane.


^ kinda right, you know.

As long as kiwifarms and others are hosted behind cloudflare, this statement is true.


Good point, but fraud and theft are different than being unpleasant or cruel.


I'd imagine both fall under "trust and safety". And let's not water it down - targeted harassment is not "being unpleasant".


Both might be considered morally wrong, but only one seems illegal.


I assure you, targeted persistent harassment is in fact not legal in most countries. With caveats for public figures and failing enforcement.


What do you mean by "most countries"? The only country that matters is the US.


And that one is a trivial search and click away: https://kellywarnerlaw.com/online-harassment-laws-united-sta... "most countries" was added for extra context.


Undoubtedly. But if you go the length to defend the morally indefensible purely though legality because you consider yourself as part of the commons somehow, a sort of neutral carrier maybe you should extend that principle to your appeal process and not make it an intransparent kafkaesque nightmare you can only resolve by getting enough people on Hacker News angry.


> Your account violated our terms of service specifically fraud.

Honestly, this phrase is raising phishing alarm bells in my head, though xxdesmus said it's `likely legitimate`. The punctuation and capitalization is lacking, and really makes it sound... off.

Edit: I originally thought this was an email, but upon reading the post again it sounds like a response to OP's support ticket. There's a lot less effort involved in responding to a support ticket or chat message than the effort involved in writing up email templates, so my point doesn't quite apply here.


Yeah, the lack of comma, and the phrase "specifically fraud", are extremely alarming to me.

I understand that not all developers are native English speakers, but far more scammers are non-natives than devs are; not to mention, there are likely checks in companies like this to proofread any text before it goes "live".


> there are likely checks in companies like this to proofread any text before it goes "live".

… yeah … there's really not.

I've both found such errors (there are a few that exist in Azure's stuff, for example. One I know exactly how to trigger: attempt to create a SP for an app in the same tenant as you, but while lacking permission to do so. The error is both grammatically malformed as well as illogical. Azure knows about it … but AFAICT, they don't have the internal processes to fix it.)

I've also caught a few of these before the train left the station as a gratuitous code reviewer. There are definitely some that have slipped by.

At a previous employ, my SO found one in ~10 minutes of playing with our product… and rightly gave me some light-hearted jabs about it.

I'd want to see the whole email. Whether it weighs more towards phish or error would depend on the surrounding context, and whether SPF/DKIM/DMARC pass. (The OP says the did (but it was a later comment), so…)


>to proofread any text before it goes "live".

Not on the internet I use. Even the old school newspapers are failing basic grammar things that anyone calling themself an editor would catch. Mainly, because they are not getting edited at all. Reports get entered into a CMS, a publish button is pressed, viola, first to publish! Yay!!! Only, in the rush, basic grade school grammar is non-existent and makes my brain slow down, and decipher what was meant, and makes me no longer want to keep reading.


> Even the old school newspapers are failing basic grammar things that anyone calling themself an editor would catch.

I've seen articles by the AP (!!) that clearly have not gotten enough scrutiny (typos, etc).

> Reports get entered into a CMS, a publish button is pressed, viola, first to publish!

Publishing articles is no time for stringed instruments [1]. Unless maybe you meant it as some kind of fanfare upon publication? :P

[1] https://en.wikipedia.org/wiki/Muphry%27s_law


Spell checking, it's impotent.


> viola

Oh, the irony...


https://en.wikipedia.org/wiki/Muphry%27s_law


Meh, it's not like native speakers use perfect grammar. People who learned English properly are actually better at punctuation and spelling than most native speakers in my experience. And the transactional messages often get only as much review as any other PR. There's some signal here, but not much.


Ever since CF went public, their support quality has fallen off of a cliff. It's really sad to see as they have a great service, and especially recently have built some amazing stuff. I just don't understand why humans helping humans has become so much of a thing to avoid.

Yes it's tricky, and it doesn't scale well, but that's the price you pay when working with people.

Glad that there was a good outcome, but very sad to see it took getting on Page #1 of HN to be resolved.


This sounds like a phishing expedition to provoke you into rash action. Pause. Take a breath. Don't click anything. Try to contact the company via a safe secondary channel like landline telephone and start by politely verifying if they've contacted you by email for any reason in the recent past.

If it really is from Cloudflare then they are trash beneath contempt and you should extricate your interests as fast as humanly possible.


It is actually from cloudflare. When I stopped receiving emails I checked my cf dashboard and figured something was wrong.

So I opened a support ticket and someone from their support team closed the ticket and said their safety team will respond to me.

Few mins later I got an email from them with the content in the original post.


You're absolutely sure right? You responded by some other means than clicking a link or hitting reply on an email? Sorry to put my forensic "fascist hat" on, I know you're not an idiot, but it's so easy to get into a tunnel vision state of action when your emotions are provoked. That's what clever account takeovers are worded to do.

If it seriously is Cloudflare then the wording of that email you posted is grotesquely unprofessional.


haha yes, I am the one who initiated the communication. Just to be double sure, just checked the email header on gmail, gmail seems to agree the DKIM and DMARC are all good.


All of Cloudflare's actual abuse emails look like phishing emails. They told me to email credit card and my Gov't ID in plaintext to them.


Did you have any other domains on the account, or shared access with other accounts?

I hate how legal has forced every trust & safety team to just blanket reply "You were banned. We won't tell you why. We won't overturn. Go away." It's absolutely impossible to contest without public attention or legal action, and is often just a simple mistake.


> often just a simple mistake

More often than not it's not a mistake.

Very simply put, fighting abuse is very asymmetrical and a lot of the approaches just even the playfield. They will make you put in more effort for them to put in effort.

Unfortunate, but the only way it's sustainable.


> Unfortunate, but the only way it's sustainable.

Businesses throughout history have been sustainable without needing to ban people at random with AI. This AI hell is a new phenomenon in the past 10 years and it's purely driven by cost-cutting.


> Businesses throughout history have been sustainable without needing to ban people at random with AI.

When the cost of abuse lowers, so must the cost of defense. So of course cost-cutting has to happen. Otherwise it's going to be a financial DoS.

All that is though only if you want services to have free tiers. If you're willing to pay for everything then sure, it becomes easier. I'm actually quite certain one will encounter much less "AI" when stuff is actually being paid for.


Then they should automate a way for the domain owner to transfer the domain out when they decide they don't want your business. There's no reasonable excuse to hold a domain hostage. Their registrar is also not free.


You do have a point about the free tiers. I try to pay for things where I can, for example I'm a happy Fastmail user (and you should be too!) But paying for things is still no guarantee, see also: the OP. Google and Discord are both infamous for this. They treat paying users and free users the same. eBay charges for their service too, and I had a ~15 year old account banned. Why? ¯\_(ツ)_/¯ If you've been collecting my money for the past 15 years, can't you spare 5 minutes to sanity check your AI?

I guess besides free users, the other exception is payment processors. I don't envy Stripe or PayPal.


Businesses in the past generally did not have hundreds of millions of people actively using their services 24 hours a day. This was rare even a decade ago.


Businesses throughout history haven't had to deal with anonymous global customer bases that could be automated.


This isn't "make you put in more effort". The customer put in more effort when they reached out to Cloudflare (because Cloudflare didn't even bother to send them an automated email). This is "you have no recourse unless you happen to get popular on the Internet or know someone".


> More often than not it's not a mistake.

So? A false positive rate of 50% is wholey unacceptable when banning people from critical online infrastructure.

> Unfortunate, but the only way it's sustainable.

This common talking point is just BS apologetics.

There is a long history of ways to manage disputes without sending such useless explanations. These companies are just to cheap or lazy to bother.


> A false positive rate of 50% is wholey unacceptable when banning people from critical online infrastructure.

Where'd you get that number?

> There is a long history of ways to manage disputes without sending such useless explanations.

Sure, the legal system.


> Where'd you get that number?

Your use of the phrase "more often than not" applies up to 50% and is thus meaningless given that such a false positive rate is unacceptable.

> Sure, the legal system.

It's pretty hard to file a legal claim without facts to contest...which is precisely the point.


Hope you get it figured out.

This is an example of why it's a good idea to keep your domain registrar separate from as much else as possible. The more services you use from a company, the more surface area there is for your account to get inadvertently flagged, and the bigger impact a suspension will have.


That's a good point. Will apply this going forward.


Once you transfer your domain out, make sure to take them to arbitration since you must have paid for their services. The more people take these orgs to arbitration, the more fearful they will become of making such blanket blan. There was a recent post on HN about arbitration [1]

[1] https://news.ycombinator.com/item?id=31567673


The biggest deal to me is here is no escape hatch. If Cloudflare decides they don't like me, fine. But give me a button-press way to transfer my domain out, immediately, then. No asking, no waiting. You ban me, you crack open that functionality at the exact same time and link to it in your "we don't like you anymore" email.


Seems like removing a site and accusing it[owner] as fraudulent would be some sort of slander/defamation and require a lot more proof and/or liability should they be wrong.

The ai world should have some penalty for being wrong to discourage this sort of behavior in a punitive way. This would dissuade companies from scaling before things are really ready.

Thoughts?


At this point we should just rename HN 'cloudflare support'.


HN is also the Stripe and Google hotline.


Oh for F's sake..

I had moved my domains from Google to CF sometime ago, assuming my emails etc. are protected, and now this.

Honest question: What is a good registrar? I used to use Namecheap in the past and have nothing against them.

Unfortunately, unlike other things I cannot self-host a registrar.

Thoughts? Suggestions?

Edit: TBH, I find this wording rather rude "The suspension is permanent and we will not be making changes on our end." especially for a paid product.


> What is a good registrar?

Find a small registrar which still is technically competent to know what they’re doing. Bigger is most assuredly not better when what you want is to actually talk to somebody when things have gone pear-shaped. If possible, find somebody as local as possible.

Disclosure: I work at a small registrar, but you’re not in our target market.


I should clarify, my account is a free cf account. Only thing I paid for was to extend my domain registration.


I too have a free CF account, but I pay them to register my domains. Hence I used "paid product". I don't use other CF features and am using them just for registration purposes.


> Unfortunately, unlike other things I cannot self-host a registrar

Use .fi domains and you absolutely can. You really don't even need to code, run or host anything either unless you wanted to. Probably goes for some other lesser known ccTLDs too I'd assume.


Can you provide some details on what that process looks like? I assume you are actually talking about dealing with the registry directly and not just about self-hosting the nameservers the domain points to?


To become a registrar, you need to register with Traficom (the Finnish Transport and Communications Agency). They've got a section on their website devoted to domains[0] and another for registrars specifically[1]. The important bits are the Registrar's Guide[2] and the registration form[3].

Register as a private individual and leave the field where they ask if you want your contact info listed for consumers unchecked. Then, once they process the application and you're a registrar, never register domains for anyone but yourself.

The bit about not needing to host or code anything was a reference to the fact that Traficom maintains a registrar web interface[4]. If you're a low volume registrar, which you should be since you're a registrar for yourself, the web interface is all you need.

Now, couple of things I'm uncertain about: whether or not the registration process involves fees for non-citizens, and which payment methods they support besides SEPA transfers.

[0]: https://www.traficom.fi/en/communications/fi-domains

[1]: https://www.traficom.fi/en/communications/fi-domains/domain-...

[2]: https://www.traficom.fi/sites/default/files/media/file/regis...

[3]: https://www.traficom.fi/en/services/registration-registrar

[4]: https://registry.domain.fi/s/


I've been using namecheap for years now without any problems. Others I use or have used and would recommend are Gandi and Porkbun.


How can a "suspension" be permanent? It is by definition temporary. I hate this timeline. If they keep inverting the meaning of words, soon nothing will make sense.


> Like what am I even supposed to do here ?

Not meaning to diminish your (quite reasonable) frustration, but is Cloudflare preventing you from transferring your domain somewhere else?


It's pendingdelete, so they're flat up holding it hostage until it's publicly available for anyone to register.


That’s terrifying. By far the worst part of this. If they ban somebody for TOS violations that is fair, but preventing people from transferring out their domain and setting it to pendingdelete is really insidious. What they are doing is akin to stealing anyone domain name permanently with no recourse. This may be grounds for a lawsuit.


It's abuse and theft, plain and simple. Replace "domain" with literally any physical object. You can't just take someone else's shit, no matter how high-and-mighty you think you are (excepting governments, of course).


Oh, if anyone wants to argue that it’s “in the TOS” that sounds like a contract no normal person would sign and likely not enforceable (IANAL) if pushed. No “sane” person would say, “yeah, if you think I’m doing something wrong, just sell all my shit!”


It’s sickening. They are committing a massive crime here and getting away with it. It’s time somebody alerts the media and blow the whistle on Cloudflares abusive actions.

I wonder how many customers domains Cloudflare stole/deleted who’s owner didn’t have the luxury of knowing the Hacker News publicity trick?


Indeed, this might likely fall into criminal behavior and not civil (though they’d be liable for civil damages as well). Someone should let a few jurisdictions that have cloud flare customers and theft is illegal know about this.


I would've 100% sued and paid for PR releases if they deleted a domain name I owned.

I'm sure I could make decent money off punitive damages based off the email they sent, and these headlines would be pretty catchy -

"Tech giant siezed and deleted a customers domain name."

"Using Cloudflare can destroy your business overnight. This is how"

"Own a domain name? Your registrar can delete it without any recourse."

"Cloudflare siezed and deleted a customers' domain"

I'd need to check if I can use the word "illegally" in the title.

I hope they compensate OP. I'm sure they could still sue them if inclined..ICANN should have some rules about this.


I implore you to consider alerting media outlets about Cloudflares abusive actions anyway. More needs to be down to expose CloudFlare’s abusive actions. They can’t keep getting away with this.


I don't wanna spend money or effort on it since I wasn't involved.


If they delete your domain that is a step too far.


Can you still force a transfer in pendingDelete from another registrar?


I think this might be the best solution in this situation, ill wait for a few hours and see if anyone from cf could help me out with this, and if not use a different service provider.

I know @eastdakota mentioned he has a script that gets triggered when someone mentions cloudflare on HN, hopefully this will help resolve this issue.


This reminds me of the negative experience I had with Cloudflare in the past, the thing that really bothered me about it was that though their system had made actions on my account their own audit log attributed those actions to me.

So I'm still left wondering, was that intentional or a bug?


"I had heard good things about them on here"

No, you did not hear good things about the biggest man-in-the-middle of the internet on here, and you're about to learn the tough lesson others have: don't trust Cloudflare with sensitive accounts or data.


Who are you trusting with your sensitive accounts and data?


Maybe someone that doesn't hold your domain hostage because of a false positive, with no recourse. Not all companies are that bad.


If they're owned, based, and operated from within the EU, and do not have a dire record to their name, then I am very likely to trust them with sensitive things.


What services have contractual terms that prohibit them from taking arbitrary actions against their customers without prior notice? A list would be useful. For B2B use, you probably want to use only such services.


Even for B2C I'd assume.


Actually something similar happened to me with Namecheap a few days ago. They banned one of my domains without any detailed explanation and refused to recover it. I end up registered the domain again at Cloudflare. Now I see this post, I don't know which company to trust anymore ...

Here is their response when I asked them details:

---

Thank you for your email. We regret any inconveniences you may have experienced.

Please be informed that Namecheap is doing its best in order to reduce any possible misuse of our services. It was noticed that the domain in question was marked as potentially abusive in our system, and we were forced to cancel it based on the result of an internal investigation. Please accept our apologies for the inconvenience caused by this action.

There are two options following which we can resolve the matter:

- Refund the domain to your payment source. - Re-register it for you for free.

Please consider your choice and get back to us with a result.

---


They cancelled and offered to re-register for free? With them?


Yes. I actually chose that option at first, since I wanted to recover the domain quickly. But they didn't reply. So I just registered with Cloudflare and got the refund.


I had a similar experience transferring a domain I registered with Namecheap to Cloudflare. They did not let me add the domain at all citing similar reason. Perhaps the previous owner of the domain was abusing it.


As a Cloudflare user this is quite scary and I'm not willing to put up with a shit show like this. What's a good alternative to CF? I mostly use CF because of their 'bonus' features like WAF.


The question is if you really need their WAF. After all that usually means that you are running insecure/outdated web applications or have SQL injections and while CF might filter some stuff if that's the case I wouldn't completely rely on that either.


I'm mostly running a few VPS servers to host websites. I'm not too concerned about security - i'm more interested in features such as protection from DDoS attacks which I've come to learn that are quite common nowadays.


I'm surprised nobody asked what business the domain was doing, and what could have triggered the flag.

The OP didn't say even one sentence about something like "I didn't do anything fraud related" or "I have no clue why it could possibly be flagged". But from my understanding of the world, if that's what OP thought, he probably would have said it.

I also find that nothing is being served from the domain mnf90.com after it's reinstated, not sure if this has been the case in the last few months.


I used it for my personal email.

>I also find that nothing is being served from the domain mnf90.com after it's reinstated, not sure if this has been the case in the last few months.

https://web.archive.org/web/*/mnf90.com

lol there was nothing else running here. Now that you mention it, maybe I should start blogging here.


Cloudflare is acting really trashy recently from development perspective also They not fixing own terraform provider for months (not speaking about new api things), their shiny and slow as python zero access PWA makes horrible things with updates and they have zero response on community boards. Only way to reach them is to have paid account and be annoying and rude to support.


I've been running https://T.LY/ and many other sites with Cloudflare. I've never had an issue but if the detect malicious content, they will alert you of the issue. Is it possible you missed the email or it went to spam?


Not here, but I'd by lying if I said I didn't worry about it.

I've had a small collection of domains with them for eons - probably nearing a decade or longer


How? Cloudflare registrar is not decade old.


> I had transferred the domain from Namescheap to cloudflare because I had heard good things about them on here

Mistake number one - to follow the herd :) Mistake number 2 woudl be to use Cloudflare for anything - but that's another topic


One of the worst support experiences I ever had was with Cloudflare. They refused to tell me what I did wrong and demanded sensitive PII over email from as shady address. I moved everything I owned off Cloudflare. For paying customers it might be fine but "free, except it might get randomly nuked" is an awful deal. https://socialism.tools/why-i-ditched-cloudflare-and-you-sho...


Maybe @jgrahamc can help


There is an explanation of what is going on; it might be incomplete, but your account has in some way been flagged for fraud or spam. Maybe someone else is abusing your account, or maybe you have a miss configuration causing this to trigger, but I'd reach out to a service rep.

--

I've experienced a near opposite situation: there was a news story about cloudflare providing ddos protection for a number of websites including the site for "The Proud Boys" (if you haven't heard of them, they're an all male far right american political group fairly well known for their physical fights with various other groups). My client, who was often vocal about politics on their public CEO twitter account, made a statement that if Cloudflare did not end their contract with the proud boys and a couple other unsavory groups then he would find an alternative and move all his current and future projects away from them. So it quickly fell to me to move all his legacy properties off Cloudflare and close out their old account... and while they may have lost him as a future customer, after the pain of trying to find similar levels of service for a similar price I am now recommending Cloudflare to most of my clients over their competitors for ease of use and pricing.


Sometimes it's worth paying extra to not fund hate. They can offer low prices due to scale, so help someone else reach that scale too. I know I'm paying more but at least I'm not indirectly funding pushing people to suicide.


Growing up in the south, I have yet to see a better advertisement against white supremacy than a klan rally. After image googling "mcinnes own the libs," proud boys makes the klan look PR-savvy. Cloudflare made the right call.


Banning sites based on politics is just as bad, don't be fooled.




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: