[binaryturtle]

I can no longer access any website that's "protected" by Cloudflare. As soon a website enables that stuff… "Shoot, another one bites the dust." I wonder if the website owners realise at all how many actual users they lose by this sort of "protection."

[tardedmeme]

Cloudflare will just tell them that 70% traffic drop is because 70% of their traffic was bots, and everything is working fine, and hey, don't you want to upgrade to a paid plan to block 50% of the remainder? Think about how many bots will be blocked with that upgrade!

[google234123]

Do you really stand by these words?

[CrimsonRain]

I'm one of those who have enabled cloudflare on all of the sites I maintain. Additionally, Added turnstile on every form.

I know some actual users get blocked. But the amount of spam we get without it, the amount of bot traffic simply overwhelming the server... It is just too much.

Recently I also hard blocked all IPs from china Singapore India Pakistan Russia and whole of africa. Do I want to do it? No. But the amount of bot traffic and corresponding spam is a bigger problem :(

[jp_sc]

I also always block traffic from China, India, Pakistan, and Russia, after observing that 90%+ of the spam/scanning was coming from those countries.

At least for China, I imagine most of the real humans might use a VPN anyway

[dotancohen]

  > I know some actual users get blocked. But the amount of spam we get without it, the amount of bot traffic simply overwhelming the server... It is just too much.

So why not just shut down the website? Or remove the form entirely? That will ensure that you get no spam, right?

One of the core tenets of system design is Availability. If your service is not available - if your forms are blocking legitimate users - then why are you pretending to have a form submission feature at all? Just to frustrate users?

[coryrc]

> One of the core tenets of system design is Availability. If your service is not available

The service won't be available to anybody because of overwhelming unwanted traffic. Now it's available for most potential users. You're speaking econ 101 when everyone else has played out iterated prisoner's dilemmas.

[CrimsonRain]

It is available to 99.9% of target demographic.

If you are getting blocked by CloudFlare, you are most likely not our demographic.

And there's always email address given in form submission, so a couple of users (like less than 5), emailed about the block and I added rules for each of them.

Better than taking down the whole thing because of bots scraping the site 5x more rate than humans.

[epistasis]

> So why not just shut down the website? Or remove the form entirely? That will ensure that you get no spam, right?

Turns out that people have a tolerance for a non-zero amount of work, but still have a limit.

Suggesting "turn off your website" is does not account for the desire to also provide some access.

Treat people who host content as humans, just as we must treat users as humans. There are tradeoffs, suggesting "shut down your website unless you provide access everywhere" is worse on all fronts for everyone.

[Dylan16807]

> There are tradeoffs, suggesting "shut down your website unless you provide access everywhere" is worse on all fronts for everyone.

Maybe, maybe not.

If block-heavy websites shut down entirely, we lose some content, but other content moves to block-minimal sites and the average user might be able to access more.

Also if there's no blocking crutch, and people get pushed into shutdown and are mad about it, they might fight harder for anti-spam technology and legal enforcement, which could improve the situation.

[BenjiWiebe]

Well I administer an ecommerce site, and for the checkout page I block everything besides Canada and USA.

Because those are the only two countries that we've ever in the life of our business, had a legitimate order from.

It prevents the majority of credit card testing, but it is tempting to apply it to the whole site to reduce traffic and server load.

[dotancohen]

Is be seriously pissed off if I invested the time to build a shopping cart and got to the order screen just to be turned away. I hope that you have a clear message somewhere that you do not ship outside the US and Canada.

[brandonwindson]

Yea, honest admins block entire regions because spam and bot traffic make it impossible to stay open

[gruez]

>I wonder if the website owners realise at all how many actual users they lose by this sort of "protection."

How many people do you think are browsing with a weird enough config (eg. custom browser like OP, or some weird config like firefox with fingerprinting protection on a raspeberry pi) to trip cloudflare's protection?

[binaryturtle]

Well… I know plenty people in my circle affected by this. Just have a slightly outdated system you simply can't afford to update: it's way to easy to get cut off like this. IMHO, a rather systematic discrimination of poorer people.

[benhurmarcel]

I got locked out of some websites by Cloudflare Turnstile on some very standard configurations, like an iPhone on Safari, or a Windows 11 desktop with Firefox or Edge, neither with a VPN on. I never found out why.

[hatsix]

it's probably because a scraper farm updated their services to latest, and there was a window where fingerprinting was unable to differentiate.

We had all of our Devs Pixels get blocked, and after talking to CF, it was because Internet archive was rebooted their scraping farm, all the devices stampeded and overwhelmed the known bot safeguards, and those tags were added across the board. CF gives sites the tools to tune what is getting blocked, we bumped the sensitivity down to 25 and haven't had many complaints (despite having a very vocal community)

The most common complaint is users' IP address getting blocked because of compromised devices

[p_l]

Does not have to be weird, at least once it happened to me that their strictest settings simply banned something like major portion of internet users in my country - to the point that if you had FTTH you were likely blocked.

And no, it wasn't due to a country-based block selected by site operator.

[ranger_danger]

There are dozens of us :)

In my experience what really makes it loop every single time though is JShelter. CF doesn't like having your fingerprintable data bits messed with.

There are legitimate uses for non-instrusive, ethical and legal scraping, but some of us have had to resort to extreme measures:

https://roundproxies.com/blog/bypass-bot-detection/

[Bender]

Do you by chance have that installed? I don't use Cloudflare but I am curious if that code can scrape my silly blog? [1] Trying to pick the appropriate article... I'm guessing it can. I don't do the fancy javascript or TLS fingerprint inspections, just some janky hill-billy protections, silly redirects and Antarctic voodoo.

[1] - https://blawg.nochan.net/b/Internet-Crap/20260522-Maybe-AI-B...

[marticode]

I use a plain Firefox on a plain Windows 11 PC on a plain regular mass market ISP in a developed country and I get completely blocked by websites daily.

At least let me complete a "prove you are human" challenge or something, but don't outright ban my IP address?

[KingMob]

Weird? I live in Thailand, use Firefox, and get half a dozen CF challenges per day.

It takes very little for CF to consider you "weird".

[dwedge]

I took the time to write to one on LinkedIn and they didn't reply

[8bitsrule]

>wonder if the website owners realise at all how many actual users they lose by this sort of "protection.

Yesterday cloudflare blocked me from visiting the MX-Linux site ... including an old browser with -no- protections ...

I have to wonder - assuming these sites are paying CF for this 'service' - are they getting a list of all the fejected IPs?