[Ueland]

I have some experience on this field. Around two years ago i was a DevOp for the company running Dagbladet, Norways #2 newspaper. One of the things I did was keep an eye on mysterious traffic.

I managed to find a huge spam network that set up a proxy service that delivered normal content, but injected "you can win an iPhone!" spam to all users visiting them.

Since I was in the position of being able to monitor their proxy traffic towards many sites I managed. I could easily document their behaviour.

In the same time, I wrote a crawler that visited their sites over a long, long time. I learned that they kept injecting hidden links to other sites in their network, so I did let my bot look at those also.

By this time, I also got a journalist with me that started to look at the money flow to try and find the organisation behind it.

My bot found in excess of 100K domains being used for this operation, targeting all of westeren Europe. All the 100K sites contained proxied content and was hidden behind Cloudflare, but thanks to the position I had, I managed to find their backend anyways.

We reported the sites to both CF and Google, and to my knowledge, not a single site were removed before the people behind it took it down.

Oh, and the journalist? He did find a Dutch company that was not happy to see neither him or the photographer :)

[avian]

> We reported the sites to both CF and Google, and to my knowledge, not a single site were removed before the people behind it took it down.

As someone that tried reporting spam sites because they were using content scrapped from my website, I'm not surprised.

Cloudflare has a policy that they will not stop providing their IP hiding/reverse proxy services to anyone, regardless of complaints. The best they do is forward your complaint to the owner of the website, who is free to ignore it.

They say "we're not a hosting provider" as if that's an excuse that they can't refuse to offer their service. I'm sure many spam websites would go away if they couldn't hide behind Cloudflare.

[yosamino]

> The best they do is forward your complaint to the owner of the website, who is free to ignore it.

Or worse. Since I have no way to know beforehand who I would be dealing with, this is actively dangerous - what if the mobster running this site is having a bad day and choses to retaliate ?

Also what a stupid fucking policy that is. Even if you are not legally compelled to block content, what is the point of actively helping distibute harmful content?

What they are doing is worse than just saying "We are not a hosting provider" - because while what is true, they are actively distributing content that is hosted elsewhere while hiding who is hosting it.

One can easily write an email to abuse@hoster.example.com and usually these people do not want garbage on their networks. CF is making it impossible to do notify them, and they refuse to implement an alternative procedure.

I still do not understand the moral position of profiting off of enabling criminal scum, when it would be so easy not to...

[tlogan]

I do not think that it is up to Google or CloudFlare to police the internet. If a site is doing something illegal then report it to appropriate gov agency. If gov agency does not anything then get involved into political process to fix that.

[hackbinary]

If Google, or CF, or whoever are fronting illegal activity with their services, they are absolutely responsible for damages the party they are proxying.

Platforms must be responsible for the content they are hosting, broadcasting, and publishing.

One to one communications between two people exchanging ideas and having a private discussion is different from mass broadcasting.

[fstrthnscnd]

> Platforms must be responsible for the content they are hosting, broadcasting, and publishing.

> One to one communications between two people exchanging ideas and having a private discussion is different from mass broadcasting.

The highway is used both by those visiting their friends and those doing mass deliveries. Is it the job of the highway maintenance crew to control for what purpose their network is used?

I would like to know if the above analogy stands.

Edit: https://news.ycombinator.com/item?id=27994831

[zizee]

The "owner" of the highway is the government, who regulates commercial traffic differently to personal traffic. The government places strict rules on who is allowed to use the highway, and how it is used.

The highway maintenance crew is akin to the person installing racks for CloudFlare.

[hackbinary]

Highway are a poor analogy for information broadcast systems in general. Highways are closer to a one to one transmission system rathe than a broadcast system of one to many.

[franga2000]

They're already removing things they don't like. I see no reason why they shouldn't remove things that are objectively 100% harmful.

Like seriously, is there a single person on the planet that's going to defend online scams? It's immoral, it's illegal, it benefits no one and harms thousands. And it's not like it's very hard to detect and block either.

[xorcist]

If someone were to tell AT&T that this call center customer of theirs is in the business of extorting people for money, they'd at least look at it and help law enforcement accordingly. Cloudflare has a talk-to-the-hand attitude until actively forced by law enforcement. That's an important difference right there.

[pdimitar]

Gov agencies and political processes take ages to do anything at all.

At this point I'd still like the internet companies doing partial policing of content. At least they'll achieve something.

[a2tech]

Because criminal scum pay their bills. You don't think 8Chan was on a free account do you?

The sooner developers realize that Cloudflare is not saving the Internet the better.

[oblio]

At this point I'm convinced that at least 10% of all legitimate economic activity is actually money laundering for crime organizations, in various forms. I imagine that percentage goes even higher in the financial capitals of the world.

[BeFlatXIII]

That’s the low estimate.

[samstave]

'ey... I'm trafficking Paintings 'ere -- ya know... Art

[cratermoon]

> what if the mobster running this site is having a bad day and choses to retaliate ?

I wonder if someone with malicious intent could set up a site designed to generate complaints (how exactly would be an exercise for the reader), put it behind Cloudflare, and purposely use the information in the forwarded complaints to harass, abuse, dox, or otherwise harm people.

[FDSGSG]

>One can easily write an email to abuse@hoster.example.com and usually these people do not want garbage on their networks. CF is making it impossible to do notify them, and they refuse to implement an alternative procedure.

But that's exactly what CF does. They forward your abuse complaints to the abuse contact of the IP address hosting the content.

[arthur2e5]

The retaliation is quite real—CF keeps your entire e-mail address and name in there, so you are essentially doxxing yourself. Pretty sure 8chan posted a lot of the reports they got back in the day.

[eru]

They might take that stance, to avoid liability and complication.

At the moment, they have a very clear rule. If they stop providing services to obvious spammers, they will create lots of grey areas, and they will also implicitly make a judgement that the client they still serve are _good_ in some way, and an enterprising lawyer or muckraker might exploit that.

[LudwigNagasena]

Cloudflare dropped the Daily Stormer. The ship of pretense of no judgement has sailed.

[Litost]

To anyone else who's curious links for the above:

https://blog.cloudflare.com/why-we-terminated-daily-stormer/

https://en.wikipedia.org/wiki/The_Daily_Stormer

[sneak]

This may have had something to do with the fact that the daily stormer was claiming prior to that that their lack of suspension was an implicit endorsement by CloudFlare of their site and content.

Misuse of trademarks is a thing.

I agree, however, that CF's policies are applied arbitrarily.

[iratewizard]

And 8chan, the 4chan alternative where anyone can make and moderate their own board.

[hnbad]

Better known for being linked to the Christchurch and El Paso shootings, being the origin of the QAnon movement and having a history of hosting child pornography.

https://en.wikipedia.org/wiki/8chan

[iratewizard]

Facebook, reddit, MySpace and Twitter have all been linked to mass shootings and child pornography. None of these sites condone, enable or remotely desire such content.

[avian]

How is that different from a hosting provider that has to address legal complaints regarding spam, copyright infringement, etc. on their servers? Just like a hosting provider, they specifically have a relationship with the website owner to provide the reverse proxy service. It's not like they can say "we don't know who or how our service is being used".

It seems to me that if they want to be in this business they have to deal with these liabilities and complications, not hide behind some vague "our hands are tied" language.

[studentrob]

Presumably if illegal content is not taken down by the customer then the host cancels the service, right? Otherwise the host risks liability. That's different from revealing the IP of a customer which requires a court order.

[eru]

You have a point, but I assume those businesses' lawyers understand this better than our armchair speculation here.

[lelanthran]

> How is that different from a hosting provider

If their argument is "we only retransmit what we get, with caching" then they are in the same place liability-wise as the phone providers ("We only retransmit what we et, with caching").

In other words, a common carrier.

Hosting is different. For exmaple, Youtube is not liable for what their users upload. They comply with takedown notices because they host the content, not the user.

[breakingcups]

But in a way, they actively host the content. The fact that their server periodically retrieves new content from a different backend makes no difference. The page sits on their hard drives and is server by their servers when I visit that domain. It's always been a very, very thin argument and it has gotten even thinner with the likes of Cloudflare Pages and Workers.

Cloudflare is just a huge company actively ignoring abuse complaints and somehow they are getting away with it. It even helps their PR to a certain market segment.

They even still host kiwifarms, a board that is primarily known for its vicous harassment of people and is known to have driven multiple innocent people to suicide.

I consider CloudFlare a bad actor at this point and I wish the other big names around them would too. They are subsidizing crime with VC money.

[IfOnlyYouKnew]

This logic doesn’t make sense. Nobody is under the illusion that CF is somehow incapable of denying service to individual customers.

[mattbee]

This policy even extends to stresser/booster/DoS-for-hire services services - try searching for some and see who fronts them?

20 years ago the transit providers of the internet would have spotted Cloudflare for what it is, and cut it off.

[guest159835]

I've been reporting hundreds of spam sites to Cloudflare, but always get the same lame excuse. Godaddy the same. Meanwhile good content drops in Google rankings and spam moves to the top.

[FeepingCreature]

That seems like the sort of thing that should require a judge's order.

[trangus_1985]

Cloudflare is not a public institution. It troubles me that they get to define, draw, and then maintain that line.

However, I do agree - privacy unveiling like that should require a judge's order.

[stavros]

But they don't, that's explicitly their stance. There is no line. They host everyone equally. To do the opposite would require drawing a line.

[yosamino]

That is not true. They do have a line specified here https://www.cloudflare.com/abuse/

It's just that the procedure is so useless that it might as well not exist.

[fauigerzigerk]

IANAL, but I don't see a Cloudflare specified line anywhere on this page. I think this is just the bare minimum they are legally required to do.

[trangus_1985]

> There is no line

You are missing the point of the complaint, which is that it's a private decision to hold that policy. Maybe it was a bad idea to use the word "line", but the intent still stands unadressed.

[account42]

> They host everyone equally.

Everyone except those that are too right wing.

[stavros]

Are you referring to the one incident where they stopped hosting a racist hate site and then vowed to never take sides again?

[studentrob]

Yes, it is akin to revealing the IP of a user on a social media site.

[andyjohnson0]

I'm pretty sure they stopped providing services to a neo-nazi site a few years ago. A decision that I am completely happy with btw.

[nine_k]

This is very rational of them. They position themselves as a pipe for "bytes", not "content".

By ignoring the content they serve, they rid themselves of the necessity to analyze and judge what they serve. Not only would this require a brain the size of a planet and the expense of running it, but also would inevitably conflict with someone else's judgments, and bring various PR woes.

They don't analyze the internals of their traffic the way internet backbone providers don't analyze the internals of the traffic they pass around.

I frankly find this position superior: imho it does more good by preventing censorship than harm by serving good-intentioned and bad-intentioned customers alike.

[rowanG077]

In fact I completely agree with that stance. It's not cloudfares job to police the content. They provide a simple service. If something is unlawful law enforcement should go after the owners.

[withinboredom]

And how, might I ask, do you propose to do that?

[rowanG077]

Law enforcement can get a warrant to get information to try and find them for example. They can hire security experts. They can do tons of things.

[dylan604]

That sounds like a hell of an investigation, and now my curiosity is running. 100k domains sounds like an huge amount of logistics on their side to keep it all running. It would be interesting to read about how a spam company manages that kind of infrastructure compared to a "legit" company.

Legit company will always have internal struggles between dev/sales/marketing, so things just take longer and are much more draining to accomplish. I'd imaginge spam org just needs to have bare minimum stuff up to satisfy whatever need it is they have knowing that humans won't necessarily be perusing those domains, yet it's 100K domains. I could almost see something like this running more smoothly. I can also see it being run by small number of people that let things lapse and it's just barely hanging together. So many questions...

[tluyben2]

It is not very difficult to manage: a company of mine was bought by a squatter (I found out after dealing with a broker for the sale; I had to integrate it with their 'tech team' and walked away after) and for many years already, this all has been fairly easy to automate. The registars have apis, cloud flare has apis. There was 1 tech guy keeping it all up and running and he didn't have to do anything. It would register and provision with content automatically. There is really almost no work involved besides keeping money in the registrar account and the costs are only the domains probably, maybe they have a little hetzner load balanced setup with 2 machines but that's likely it.

[tikiman163]

The reason you found so many domains is that they intentionally take down thier spam sites and reload them under a new domain every few hours. They do this so they can't be taken down by people reporting them as spam. They literally setup the next domain while the current one starts being used so they can do a live swap to the next one without interruptions to thier spam operations. This is typically done in an effort to spread Trojan malware to anybody running computers with out of date operating systems and browsers. Windows getting people off of Internet Explorer has been a huge hit for them as it reduces the number of possible vulnerabilities someone might have when they get sent to one of these Trojan spam sites.

[ultimoo]

> By this time, I also got a journalist with me that started to look at the money flow to try and find the organisation behind it.

Very curious to know what you found!

[Ueland]

We did publish a whole series about the network and companies we found in the process, unfortunately in Norwegian only and soft-paywalled: https://www.dagbladet.no/nyheter/sonjas-52-oppdagelse-avslor...

[IG_Semmelweiss]

did the article resonate with norwegians? I assume the report probably answered so many questions of the populace on google's malfunction, even if nothing came out of it

what was the feedback to the article ?

[lifeisstillgood]

Can I just clarify?

There is / are organisations that a) scrape legitimate sites for content, b) host that content on their own 100K domains, c) sit behind cloudflare, d) do some seo??? e) when someone finds their site they then inject an ad or similar rubbish f) do this enough that they make money off the ad / competition / porn ?

That seems like a problem that the ”original-source” metatag was supposed to stop?

[tyingq]

Canonical urls help with noting your own purposeful duplicated content. But that meta tag goes on the duplicated content. So it doesn't help with scrapers, who strip that out.

[lifeisstillgood]

But I thought that it was useful for google - who could find two caches with same content, one of which was 2018 one of which 2020 and both say "this is canonical". At that point the 2018 version is real and the other rejected.

Then again, you could just do it with publication dates ...

[tyingq]

I don't know why, but Google seems unable to figure out (or just doesn't care) "who published it first". I've seen it be confused many times.

[pepy]

Do you want to get to the bottom of this? A friend of mine is a top Dutch lawyer with an interest in these things.

[Ueland]

This was two years ago and the network is now (to my knowledge) gone.

[pepy]

alright, thanks for the clarification