Cloudflare and Spamhaus

Spamhaus has been the subject of a lot of discussion the last few weeks. I touched on this a little in June when I blogged that a number of large brands were getting SBL listings.

But big brands are not the only companies with publicly discussed SBL listings.

Cloudflare, the content delivery network that grew out of project honeypot, has a number of SBL listings, covering at least 2 /18s and a /20. Representatives and customers of Cloudflare have been discussing the listings on twitter.

As a content provider, Cloudflare isn’t actually sending mail nor are they actually hosting the content. What they are doing is providing consistent name service and traffic routing to malicious websites. In fact, they’ve been providing services to a malware botnet controller (SBL138291) since May, 2012. They’re also providing services to a number of SEO spammers. Both of these actions are justification for a SBL listing, and Spamhaus has a history of listing providers protecting spammers.

Cloudflare claims they take action on all “properly filed complaints” and they may actually do that. But their reports require quite a bit of information and require consent for releasing information to 3rd parties. Looking at the website, it appears to me to be a site designed to discourage abuse reports and stop people from reporting problems to Cloudflare.

When you look at the Cloudflare business model it’s clearly one that will be abused. Cloudflare acts as a reverse proxy / pass through network that caches data from their customers. This protects the abusers webhosting setup and prevents people tracking the abuser from being able to determine the true host of a website. As a responsible internet citizen, Cloudflare should be disconnecting the customers hiding behind Cloudflare’s services.

Unfortunately, Cloudflare seems unwilling to actually police their customers. They’ve taken a totally hands off approach.

Let’s be frank. Cloudflare has been providing service to Botnet C&C servers for at least two months. It doesn’t matter that the abuser has the malware on a machine elsewhere, Cloudflare’s IP is the one that serves the data. I don’t care what you think about spam, providing service to malware providers is totally unacceptable. It’s even more unacceptable when you claim to be a security company. Nothing about malware is legitimate and the fact that Cloudflare is continuing to host a malware network command and control node is concerning at the very least.

Cloudflare (.pdf) is listed on Spamhaus for providing spam support services. The most obvious of these is providing service to a malware controller. And Spamhaus escalated the listings because they are allowing other abusers to hide behind their reverse proxy.


  1. Fazal Majid says

    On the face of it, it seems pretty damning indeed, but we have to be careful – they may have been asked by the FBI not to disconnect the C&C server, just as was the case for DNSchanger, in which case they would not be permitted to talk about it.

    I was ops manager for a Dutch ISP in 1999-2000 and I was told the Dutch authorities had asked us not to shut down child porn Usenet forums because they wanted to monitor them (and presumably trace and prosecute participants) rather than drive them deeper underground in a darknet.

  2. Al Iverson says

    Yeah, but, Fazal, Cloudflare is not SBL’d with a single listing for supporting a C&C server. There were a bunch of different listings for different kinds of spam and bad stuff. And after the listing, the Cloudflare CEO guy decided to run his mouth about it publicly instead of dealing with it. I’ve heard (admittedly only second hand so far) that they disclaim responsibility for sites reported to them because they don’t host the sites in question. True, but if the connectivity runs through you, and you don’t null route or terminate the bad stuff, then the buck stops with you. And that is where Cloudflare is today, from what I can tell.

  3. Tim Starr says

    Yah, this “I don’t shoot people, I only have a contract to supply the shooters w/ bullets” defense is most unimpressive.

  4. Ken Simpson says

    This is most unfortunate for CloudFlare. They obviously don’t understand the significance of an SBL listing, and the care Spamhaus takes when they consider posting an IP or provider on the list.

  5. Policing customers – Word to the Wise says

    [...] yesterday’s post about Cloudflare and Spamhaus Fazal comments that Cloudflare may have been asked by law enforcement to leave the website [...]

  6. JustinP says

    Disclosure: I work at CloudFlare, and I am extremely active on their abuse team. There is very much a side to this story no one is being told.

    This is paraphrased from our CEO from this blog post on this topic (it’s actually about our general abuse policy/stance) –>

    Spamhaus has an issue with this CloudFlare customer:

    The site isn’t a phishing site and it is not hosting malware. From what the Spamhaus investigator told us, the site is appearing in spam email that was sent through Facebook’s network and was received by some Spamhaus spam traps. We were not able to independently verify this with Facebook, but we are inclined to believe those facts are true. While it would be the most effective way of dealing with the issue, Ironically, Spamhaus is reluctant to block Facebook’s out-bound IP addresses because of a concern about false positives. They have listed the site on the Spamhaus Domain Blacklist (DBL) which we believe is entirely appropriate. So this is essentially Spamhaus going after CloudFlare because they can’t go after Facebook, makes sense right?

    Pursuant to our policy described on our site, we passed the complaint on to the site’s hosting provider and to the customer in question. Based on Spamhaus’s concerns, we are also creating an isolated section of our network for customers that have potential spam issues that are reported by trusted parties. There is additional engineering required to do this, but we have prioritized it and believe it will be online by the end of next week. I’ve been told by people in the industry that this aligns with the policies of organizations like AOL and Gmail. We would be comfortable with Spamhaus listing this limited block of IP space, and we will happily work with them to move customers that appear on the SBL to the “bad boy” block.

    We are taking additional steps to ensure that our customers are not impacted. Our monitoring of the impact of the SBL shows that it has been de minimis but, ultimately, we are fighting the same fight as Spamhaus and so we are hopeful we will able to get this issue resolved. Going forward, our hope is this incident will allow us to better work with Spamhaus and other organizations to get these reports as well as reports on malware/phishing. We should be brothers in arms.

    Our CEO started one of the largest email honey pot networks in the world (Project Honey Pot) and that work there was part of what inspired CloudFlare. Spamhaus does important work and is responsible for helping block a huge percentage of the spam sent daily.

    If this customer is sending out spam messages, then shame on them and the servers they’re using to send messages should be blocked, even if that means blocking Facebook. We are concerned, however, any organization, be it CloudFlare, Spamhaus, sit in a position where they would censor a site that on its face is not causing harm. As a practical matter, we are also concerned that honoring a request to knock this site offline will only open a new abuse vector for people trying to bypass CloudFlare. Add a domain protected by CloudFlare to spam messages and, as soon as there’s a SBL listing, our protections will effectively be bypassed.

    Finally, to be clear, is a free customer. They do not pay us now and, so far as we can tell, they never have. The chatter on Spamhaus’s lists that this is a business decision misses the point. While we philosophically support the mission of Spamhaus, we believe the same philosophical perspective means that we cannot terminate this customer based on the evidence they have presented us.

  7. steve says

    It’s a broader issue than one customer. Much broader. And I don’t just mean that it’s multiple customers.

    However, even if it were just one customer, and they were doing something bad enough to be worthy of an SBL listing, and you continued to host that customer then, yes, you’d be actively supporting abusive behavior. That’s OK as a business model, but one of the costs of choosing to be that sort of business is shunning by the rest of the Internet – and the driving away of legitimate customers that tends to cause can lead to a downward spiral in customer quality.

    Taking on that cost of doing business on behalf of a high-value flagship customer might well be a good business decision in some cases. Doing it on behalf of someone you’re giving service to for free, while they’re making money from their network abuse, is not the sign of a healthy or well-managed business.

    The claim that Spamhaus are only going after CloudFlare because they won’t list someone as big as FaceBook is implausible on several counts – not least that active FaceBook addresses have been listed by SpamHaus in the past, and I’m sure will be listed again in the future.

    They’re going after CloudFlare (with, I’m fairly sure, no more enthusiasm than they go after any other spammer or malware hoster) because CloudFlare has multiple customers behaving badly, up to and including felony badly. At the time I write this there are 15 separate /32s listed by SpamHaus, each for IP addresses that are specifically connected to abusive behaviour – and there’s no implication that that’s an exhaustive list.

  8. Al Iverson says

    I’m not buying what CloudFlare is saying here, Justin. I have no involvement in this matter, but from reading the coverage of it and looking at the SBL listings, it sure seems to involve more than one client, and it sure doesn’t seem to me that Spamhaus is afraid fo listing Facebook (they certainly have before). I also see what CloudFlare has said to others, disclaiming responsibility for bad actor traffic crossing the CloudFlare network or service…that’s a bad policy. If I still ran a network, I’d be blocking CloudFlare as a result of that policy choice. (And let’s be clear, it absolutely is a choice. It sure looks to me as though a provider/service like CloudFlare could choose to null route bad stuff based on reports received and investigating those reports.)

  9. Andrew Barrett says

    CF’s reticence is causing pain for their legitimate customers as well. We send mail on behalf of one of them, but our own outbound filtering is preventing the mail from being sent through our application because of the listing. I’ve declined to make an exception in our filtering to accommodate the client because of the broader security implications such an exception might have for our own assets.

  10. Rahal Ghazni says

    I am a Cloudflare customer. I am using Aweber to email out for my business.

    A few days ago one of my messages had a 10 spam rating from Aweber built in Spamassassin. My website was now on a spamhause block list.

    Aside from philosophical discussions I am searching for a technical solution. Personally I don’t want to leave Cloudflare and change my DNS back to my old provider as Cloudflare provide a lot of positive attributes to my websites but no mail outs means no business….

    What would you suggest that I do?

    Thank you

  11. Rahal Ghazni says

    Hey Justin,

    Thank you for resolving the issue with me.

    Whatever is said about Cloudflare – I believe their spam policy is based on the principle of internet freedom. They are a very professional and passionate company. This, i can tell, is reflected in how they treat their customers during this difficult time.

    Keep at it Cloudflare and thank you for the support.


  12. TJ says

    I use Aweber and came across the same problem. Spam score from emails went from Zero to Ten with no changes to the email content.

    We contacted Aweber, and they confirmed that CloudFlare is in the Spamhaus SBL.

    How many thousands, or millions of websites are being affected because of a few bad apples?

    Unfortunately, we can’t wait on CloudFlare to get their act together. If anyone has experience with CloudFlare competitors that are not listed in the Spamhaus SBL, it’d be interesting to hear your suggestions.

    CloudFlare could at least alert customers that this issue is occurring. Their support team merely said they’re working on the issue.

    Aweber said that if we drop CloudFlare, our email’s score will return back to normal within 24 to 48 hours.


Your email address will not be published. Required fields are marked *

  • AOL compromise

    Lots of reports today of a security problem at AOL where accounts are sending spam, or are being spoofed in spam runs or something. Details are hazy, but there seems to be quite a bit of noise surrounding this incident. AOL hasn't provided any information as of yet as to what is going on.4 Comments

  • ReturnPath on DMARC+Yahoo

    Over at ReturnPath Christine has an excellent non-technical summary of the DMARC+Yahoo situation, along with some solid recommendations for what actions you might take to avoid the operational problems it can cause.No Comments

  • AOL problems

    Lots of people are reporting ongoing (RTR:GE) messages from AOL today.  This indicates the AOL mail servers are having problems and can't accept mail. This has nothing to do with spam, filtering or malicious email. This is simply their servers aren't functioning as well as they should be and so AOL can't accept all the mail thrown at them. These types of blocks resolve themselves. 1 Comment