The title isn’t quite clear but here goes.

Client has a site not on Cloudflare called domain.com. Someone has registered a domain named domainuk.com and added it to a Cloudflare account and pointed it to the live site. They have also added MX records for Zoho.com to send out emails pretending to be connected to domain.com.

I’ve submitted an abuse report to Cloudflare but in the meantime is there any way to block inbound traffic from domainuk.com and redirect to a page stating it’s a scam domain?

I’ve tried the usual htaccess redirects and blocking all Cloudflare IP addresses both ipv4 and ipv6 but nothing works.

Thanks in advance.

Would you be willing to share the domain?

Otherwise, can you make sure you are doing proper host header validation at the origin?

You can check this with the following command: curl -i --connect-to :80:your-client-domain.com:80 http://any-other-domain-not-owned-by-client.com/

If this returns your client’s website, you must implement host header validation. If it returns an error page, you should be good.

https://httpd.apache.org/docs/2.4/vhosts/examples.html

Secondly, do requests from this mirror domain contain a CF-Worker header?

Yes but the real domain is not on Cloudflare. Someone else has registered a fake domain and added to a CF account.

Real domain - fashionsfinest.com
Fake domain - fashionsfinestuk.com

Gotcha, thanks for sharing the domain - it makes this a lot easier

You seem to be doing host header validation so that’s not the issue.

Would you be able to share the headers/log entry of a request coming from Cloudflare for fashionsfinestuk.com? That will tell if they’re using Cloudflare Workers to “rewrite” the host header.

Not at the moment as our systems admin is out of the office.

HTTP/1.1 200 OK =>
Date => Wed, 25 May 2022 09:51:58 GMT
Content-Type => text/html; charset=utf-8
Connection => close
Vary => Accept-Encoding
X-Powered-By => PHP/7.4.21
X-Logged-In => False
X-Content-Powered-By => K2 v2.10.3 (by JoomlaWorks)
P3P => CP=“NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM”
Permissions-Policy => interest-cohort=()
Expires => Wed, 17 Aug 2005 00:00:00 GMT
Cache-Control => no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma => no-cache
Set-Cookie => da5513f582f291953a4ed9a356972c5b=82cs6nh94231e3bosb6ro9fmqo; path=/; secure; HttpOnly
Last-Modified => Wed, 25 May 2022 09:51:58 GMT
Access-Control-Allow-Origin => *
CF-Cache-Status => DYNAMIC
Expect-CT => max-age=604800, report-uri=“https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct”
Report-To => {“endpoints”:[{“url”:“https://a.nel.cloudflare.com/report/v3?s=BB5luk3nakCjorNEqa6p%2BGMQWzd4%2B4eSyhZ2lFgT2k2FfURCgwZ2dqQl1RcjGtqOn4S4PwUniYH5jAu8vMfaZja%2BicBL2OCNUsqH0a7nq3lOkbMNgWKu50jiVNshFxF4i%2F%2F%2BKU9%2BtA%3D%3D"}],“group”:“cf-nel”,"max_age”:604800}
NEL => {“success_fraction”:0,“report_to”:“cf-nel”,“max_age”:604800}
Server => Cloudflare
CF-RAY => 710d6021bc8f81ab-IAD
alt-svc => h3=":443"; ma=86400, h3-29=":443"; ma=86400

Oh, sorry for not being clear enough. I am talking about the request headers rather than response headers.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.