Has Cloudflare blocked your domain without explaining what's going on?

Update: Just received an email from CF.

--------------

Hello,

With regard to your inquiry, we have restored the domain names in your account to active status. Please allow for normal propagation. You will need to re-add mnf90.com to your account in order to manage it. Our apologies for any inconvenience this may have caused.

Kind Regards, Cloudflare Trust & Safety

------------

Not much info lol, but guess its fixed now?

Thanks HN for up-voting my post and helping me get the attention of CF. Time to go figure-out how not to get in to this situation again, and a way to mitigate this incase the AI gets angry again. Funniest thing about this is, I wanted my own email because I was afraid of this scenario, getting locked out of everything, what happens if big G or M decide to close my account down?

Again, thanks HN. Really appreciate you folks for helping me get the attention.

FWIW I also had a recent experience with Cloudflare "Trust & Safety" and it was my first negative Cloudflare experience, unfortunately.

A client-of-a-client had their site reported to CF for malware distribution via Netcraft. I reviewed the site and found nothing unsual-looking. I dug out a month's worth of access logs for the site, carefully filtered them, and then eyeballed all of the tens of thousands of remaining lines, and again, nothing unusual. No sign whatsoever that the site had ever distributed any malware.

There were signs that the site had been probed a number of times by one or a few bad actors, a bit more than just the usual background scanning. Best guess was that, having failed to take the site down through direct means, somebody filed some fraudulent reports against it.

DigitalOcean also received a report on the site, and that's where the difference in handling the issue really became apparent. I sent essentially the same response to both DO and CF. DO sent back a quick, "thanks for taking a look at it, we're not going to take any action at this time, have a nice day" response.

Cloudflare on the other hand pre-emptively took the site down and then took a while to reply at all. When they did, the reply was extremely opaque: "this report has been processed". Like, okay... and?

I had by that time already routed the site off of Cloudflare and had it back online, so the impact was minimal, but now that I know what it's like to deal with this category of issue at Cloudflare, I have to ensure that it's always easy to take anything off of Cloudflare. I love Cloudflare generally, so this is really disappointing.

I can’t believe how lightheartedly you are taking this. (edit: I guess your initial reaction when the domain was reinstated was probably a bit of euphoria).

This faceless corporation simply took away your property without explanation or warning, and didn’t even feel any obligation to explain why.

For many people the consequences might have been losing their own or even their family’s source of income.

Their behavior was despicable and callous.

When did these tech companies start thinking they were all-powerful and above the law like this?

> The suspension is permanent and we will not be making changes on our end.

Someone else in this thread explained this as "they're flat up holding it hostage until it's publicly available for anyone to register."

I will not do business with companies whose word is final, with no explanation and no recourse whatsoever, unless you shout loud enough that someone higher up the org tree decides to figure out what has happened. Especially when the decision actually comes from a fallible, subpar automated system. Fuck that dystopia. Shameful behaviour, Cloudflare.

If I had to guess, the OP's payment method is specifically what got flagged, resulting in the domain being blocked.

See https://community.cloudflare.com/t/domain-not-working-after-... where someone who appears to the be OP mentioned that CloudFlare auto-refunded some charges.

CloudFlare should still post a public postmortem as to how this user got wrongly flagged (excluding any personal info). The OP has already consented to this: https://news.ycombinator.com/item?id=31574656

Wow, that's terrible. Thank you for the heads up. Just transferred my domains back to namecheap.

While we're all here venting about Cloudflare, is anyone else frustrated about how they lure you in to their CDN product with "free" bandwidth, but then lock behind so many useful features arbitrarily behind what I can only imagine is a thousands of dollars per month enterprise plan? Just look at their cache-purging page for an example of this, everything other than basic purge by URL is enterprise only: https://developers.cloudflare.com/cache/how-to/purge-cache/

These days Cloudflare is literally my last choice for a CDN for my new projects, and I try to warn against others considering using it. My new go-to is bunny.net, who charges a reasonable usage-based fee for bandwidth and gives you unfettered access to all the features they've built. Though I'd even reach for Cloudfront with their expensive bandwidth costs these days, because at least their pricing is transparent and scales smoothly with usage, and they don't arbitrarily cut you off from useful features.

Even their bandwidth might not really be "free", since I've heard if you actually use any significant amount, the sales people will come knocking on your door to coerce you to get on the same enterprise plan or have your site taken down.

Hello, I'm the Head of Trust & Safety. Please forward me the email? This is very likely legitimate and from our team, but I'd like to confirm. justin@ cloudflare.com

I know this sounds very cynical, but there's something funny about a company doing this automated trust and safety with zero recourse spiel while being entirely okay with hosting sites where people are bullied into suicide because we can't just deny service to technically legal websites as a pseudo public utility.

Pick a lane.

> Your account violated our terms of service specifically fraud.

Honestly, this phrase is raising phishing alarm bells in my head, though xxdesmus said it's `likely legitimate`. The punctuation and capitalization is lacking, and really makes it sound... off.

Edit: I originally thought this was an email, but upon reading the post again it sounds like a response to OP's support ticket. There's a lot less effort involved in responding to a support ticket or chat message than the effort involved in writing up email templates, so my point doesn't quite apply here.

Ever since CF went public, their support quality has fallen off of a cliff. It's really sad to see as they have a great service, and especially recently have built some amazing stuff. I just don't understand why humans helping humans has become so much of a thing to avoid.

Yes it's tricky, and it doesn't scale well, but that's the price you pay when working with people.

Glad that there was a good outcome, but very sad to see it took getting on Page #1 of HN to be resolved.

This sounds like a phishing expedition to provoke you into rash action. Pause. Take a breath. Don't click anything. Try to contact the company via a safe secondary channel like landline telephone and start by politely verifying if they've contacted you by email for any reason in the recent past.

If it really is from Cloudflare then they are trash beneath contempt and you should extricate your interests as fast as humanly possible.

Did you have any other domains on the account, or shared access with other accounts?

I hate how legal has forced every trust & safety team to just blanket reply "You were banned. We won't tell you why. We won't overturn. Go away." It's absolutely impossible to contest without public attention or legal action, and is often just a simple mistake.

Hope you get it figured out.

This is an example of why it's a good idea to keep your domain registrar separate from as much else as possible. The more services you use from a company, the more surface area there is for your account to get inadvertently flagged, and the bigger impact a suspension will have.

Once you transfer your domain out, make sure to take them to arbitration since you must have paid for their services. The more people take these orgs to arbitration, the more fearful they will become of making such blanket blan. There was a recent post on HN about arbitration [1]

[1] https://news.ycombinator.com/item?id=31567673

The biggest deal to me is here is no escape hatch. If Cloudflare decides they don't like me, fine. But give me a button-press way to transfer my domain out, immediately, then. No asking, no waiting. You ban me, you crack open that functionality at the exact same time and link to it in your "we don't like you anymore" email.

Seems like removing a site and accusing it[owner] as fraudulent would be some sort of slander/defamation and require a lot more proof and/or liability should they be wrong.

The ai world should have some penalty for being wrong to discourage this sort of behavior in a punitive way. This would dissuade companies from scaling before things are really ready.

Thoughts?

At this point we should just rename HN 'cloudflare support'.

Oh for F's sake..

I had moved my domains from Google to CF sometime ago, assuming my emails etc. are protected, and now this.

Honest question: What is a good registrar? I used to use Namecheap in the past and have nothing against them.

Unfortunately, unlike other things I cannot self-host a registrar.

Thoughts? Suggestions?

Edit: TBH, I find this wording rather rude "The suspension is permanent and we will not be making changes on our end." especially for a paid product.

How can a "suspension" be permanent? It is by definition temporary. I hate this timeline. If they keep inverting the meaning of words, soon nothing will make sense.

> Like what am I even supposed to do here ?

Not meaning to diminish your (quite reasonable) frustration, but is Cloudflare preventing you from transferring your domain somewhere else?

This reminds me of the negative experience I had with Cloudflare in the past, the thing that really bothered me about it was that though their system had made actions on my account their own audit log attributed those actions to me.

So I'm still left wondering, was that intentional or a bug?

"I had heard good things about them on here"

No, you did not hear good things about the biggest man-in-the-middle of the internet on here, and you're about to learn the tough lesson others have: don't trust Cloudflare with sensitive accounts or data.

What services have contractual terms that prohibit them from taking arbitrary actions against their customers without prior notice? A list would be useful. For B2B use, you probably want to use only such services.

Actually something similar happened to me with Namecheap a few days ago. They banned one of my domains without any detailed explanation and refused to recover it. I end up registered the domain again at Cloudflare. Now I see this post, I don't know which company to trust anymore ...

Here is their response when I asked them details:

---

Thank you for your email. We regret any inconveniences you may have experienced.

Please be informed that Namecheap is doing its best in order to reduce any possible misuse of our services. It was noticed that the domain in question was marked as potentially abusive in our system, and we were forced to cancel it based on the result of an internal investigation. Please accept our apologies for the inconvenience caused by this action.

There are two options following which we can resolve the matter:

- Refund the domain to your payment source. - Re-register it for you for free.

Please consider your choice and get back to us with a result.

---

I had a similar experience transferring a domain I registered with Namecheap to Cloudflare. They did not let me add the domain at all citing similar reason. Perhaps the previous owner of the domain was abusing it.

As a Cloudflare user this is quite scary and I'm not willing to put up with a shit show like this. What's a good alternative to CF? I mostly use CF because of their 'bonus' features like WAF.

I'm surprised nobody asked what business the domain was doing, and what could have triggered the flag.

The OP didn't say even one sentence about something like "I didn't do anything fraud related" or "I have no clue why it could possibly be flagged". But from my understanding of the world, if that's what OP thought, he probably would have said it.

I also find that nothing is being served from the domain mnf90.com after it's reinstated, not sure if this has been the case in the last few months.

Cloudflare is acting really trashy recently from development perspective also They not fixing own terraform provider for months (not speaking about new api things), their shiny and slow as python zero access PWA makes horrible things with updates and they have zero response on community boards. Only way to reach them is to have paid account and be annoying and rude to support.

I've been running https://T.LY/ and many other sites with Cloudflare. I've never had an issue but if the detect malicious content, they will alert you of the issue. Is it possible you missed the email or it went to spam?

Not here, but I'd by lying if I said I didn't worry about it.

I've had a small collection of domains with them for eons - probably nearing a decade or longer

> I had transferred the domain from Namescheap to cloudflare because I had heard good things about them on here

Mistake number one - to follow the herd :) Mistake number 2 woudl be to use Cloudflare for anything - but that's another topic

One of the worst support experiences I ever had was with Cloudflare. They refused to tell me what I did wrong and demanded sensitive PII over email from as shady address. I moved everything I owned off Cloudflare. For paying customers it might be fine but "free, except it might get randomly nuked" is an awful deal. https://socialism.tools/why-i-ditched-cloudflare-and-you-sho...

Maybe @jgrahamc can help

There is an explanation of what is going on; it might be incomplete, but your account has in some way been flagged for fraud or spam. Maybe someone else is abusing your account, or maybe you have a miss configuration causing this to trigger, but I'd reach out to a service rep.

--

I've experienced a near opposite situation: there was a news story about cloudflare providing ddos protection for a number of websites including the site for "The Proud Boys" (if you haven't heard of them, they're an all male far right american political group fairly well known for their physical fights with various other groups). My client, who was often vocal about politics on their public CEO twitter account, made a statement that if Cloudflare did not end their contract with the proud boys and a couple other unsavory groups then he would find an alternative and move all his current and future projects away from them. So it quickly fell to me to move all his legacy properties off Cloudflare and close out their old account... and while they may have lost him as a future customer, after the pain of trying to find similar levels of service for a similar price I am now recommending Cloudflare to most of my clients over their competitors for ease of use and pricing.