[thomas_gauvin]

Blog author chiming in here:

We have reserved IPs for Email Service and will be protecting the reputation and fighting spam from originating on Email Service.

If we did not do so, our IPs would get flagged and then emails end up in spam or not delivered. That defeats the purpose of having a transactional Email Service. We're well aware of this.

[embedding-shape]

Will you also do this for other spammers using Cloudflare infrastructure, or just specifically for this email product?

> For years, Spamhaus has observed abusive activity facilitated by Cloudflare’s various services. Cybercriminals have been exploiting these legitimate services to mask activities and enhance their malicious operations, a tactic referred to as living off trusted services (LOTS) [2].

> With 1201 unresolved Spamhaus Blocklist (SBL) listings [3], it is clear that the state of affairs at Cloudflare’s Connectivity Cloud looks less than optimal from an abuse-handling perspective. 10.05% of all domains listed on Spamhaus’s Domain Blocklist (DBL), which indicates signs of spam or malicious activity, are on Cloudflare nameservers

https://www.spamhaus.org/resource-hub/service-providers/too-...

[Meekro]

I would note that Cloudflare has been doing better-- the SBL listings page mentioned in that article[1] shows only 47 active complaints, down from 1201 when the article was written 2 years ago. Many of those complaints are stale, too: I spot-checked a few (referencing the domains fireplacecoffee.com and expansionus.com) and the domains are expired and not being hosted by anyone.

[1] https://check.spamhaus.org/sbl/listings/cloudflare.com/

[big-and-small]

Spamhaus itself is a shady and non transparent organization and basically one of reasons why its been so hard to actually run email service for decades.

Cloudflare is not perfect, but at least it been consistent about not becoming censorship service with very few exceptions where they banned something.

Id rather let criminals freely buy and use kitchen knives than let shady organizations control who is allowed to buy one.

[computershit]

> 10.05% of all domains listed on Spamhaus’s Domain Blocklist...are on Cloudflare nameservers

Not defending spammers, but this comes across a smidge naive considering Cloudflare's overall footprint in the modern internet.

[Bender]

As someone that has managed very large outbound transactional email environments, email campaign platforms and some corporate email I just wanted to wish Cloudflare the best of luck on this endeavor. This is an entirely different animal from anything related to a CDN. Stay vigilant and don't let the cute and fuzzy bunnies ruin it for everyone else. They are evil and mischievous and will do whatever they technically can do.

[creatonez]

Agent-produced emails are by definition spam. Everyone should be reacting to this news by immediately blocking your service.

[ttul]

Recent outreach after creating an AgentMail account:

"Thanks for being a user of AgentMail - a lot of people use AgentMail for outbound (spin up and warm up inboxes, send sequences, handle replies), ..."

Yes, that's right. The first use case mentioned is to send automated outbound emails. "Cold prospecting" workflows are likely going to be a big slice of usage on the new Cloudflare service, as it seems to be on AgentMail.

[chinathrow]

> We're well aware of this.

Then how about not market it as "for agents" when said agents are just LLM output?

[ttul]

If you take the approach of policing individual sender accounts with a strict anti-abuse policy, you have a chance of succeeding. I'm sure you have already discovered that the moment you allow anyone to sign up for an email sending account, the worst of the worst actors immediately take up the opportunity to do so! Cloudflare has a massive amount of data about web traffic and I would hope that this data can be recycled into effective threat detection and control. No doubt you already know this and have people working on it. Good luck!

[themafia]

So what are the thresholds?

For example with SES I will get automatically suspended if my bounce rate is more than 10% or if my complaint rate is more than 0.1%.

[wang_li]

I think you should put your money where your mouth is. For each spam message sent to a recipient server, you send $1000 to the recipient.

[i_think_so]

Make that penalty $1 per (so the discussion can be taken seriously) and I will not only support your proposal, I'll volunteer my time and effort in encouraging Congresscritters to vote for it.

There are serious financial penalties for robocallers who violate the Do Not Call list (in America, at least). Let's update those laws for the 21st century, shall we?