Cloudflare IP on spamhaus.org

Hi,

our company has email deliveribiality issues.

I have found out it’s because IP, which use our domain, is blacklisted on Spamhaus:
https://check.spamhaus.org/listed/?searchterm=SBL522278

Our domain is ok, it’s because of other domains, which share our IP on cloudflare.

I have tried contact Spamhaus, they replied, that Cloudflare must ban the malware domains to remove the IP from Spamhaus.
I tried to contact Cloudflare support, but I have no reply from them several days.
I suppose it’s because this domain has free plan.

Do you know if better plan - Pro - will help us solve the issue?
If we could for example change IP?

Thanks, regards,
Petr

For no good reason, they do this from time to time.

1 Like

Thanks a lot for your reply.

If I understand corectly, it would not help us, if we upgrade to pro version of Cloudflare?

We will have to move our services elsewhere then, at this moment a lot of our email communication is blocked.

Have you configured your domain with the relevant configurations, like SPF, DMARC etc?

2 Likes

Judge posted that link as the first reply in that other thread.

2 Likes

We have unfortunately all settings ok - SPF, DMARC, DKIM.

I have checked using gmail, www.mail-tester.com.

The only issue in our emails is the IP spamhaus
0.6 URIBL_SBL Contains an URL’s NS IP listed in the Spamhaus SBL blocklist

Unfortunately it’s very important parameter for https://talosintelligence.com/ service (Cisco).
And almost all of our big clients use talosintelligence to check emails, so we are not able send email to them.

I suppose, it’s something new - we have detected this one week ago for the first time.

More important than SPF, DMARC, and DKIM? That’s absurd. Have any of your clients complained to Talos?

2 Likes

Yes, it’s really the reason for them to block the email (give poor reputation to the IP, which means block for it),

Reasons for Poor Email Reputation:

So they do DNS lookup, find IP of our domain and because it’s in the spamhaus db, our IP has poor reputation. It’s crazy…

It is unfortunately very important for us - our services use biggest companies in our coutry and almost all of them use talos. And because we are small company, we must solve it…

So if Pro version will not help us to change IP, we must change cdn provider…

Thank you for all your help…

Interestingly talosintelligence also use Cloudflare themselves

dig +short NS talosintelligence.com
fiona.ns.cloudflare.com.
lakas.ns.cloudflare.com.

wonder if they haven’t properly configured restoring real visitor IPs on talos’ end and mistakenly picking up Cloudflare IPs ?

1 Like

Will they block themselves if they happen to get blacklisted addresses assigned?

who knows but they’re clearly logging Cloudflare IPs in their database for email volumes https://talosintelligence.com/reputation_center/lookup?search=CloudFlare&org_lookup=1

edit looks like for example CF IP = 104.16.51.111 is returning alot of domains behind cloudflare for .zendesk.com, hushmail.com, sendgrid, support. subdomains so looks like domains where alot of emails are being sent through. Just for *.zendesk.com domains there’s over 10,000 results for that IP address.

@cscharff @cloonan maybe Cloudflare can make sure some of the flagged CF IPs are properly being configured by CF customers on their end too ?

2 Likes

I think talosintelligence use spamhaus.org db to check malware domains. So the problem is cloudflare’s IP in spamhaus.

And it’s quite funny - spamhaus use cloudflare as well.

So spamhaus and talosintelligence could both block themselfs easily :wink: .

As far as I know, the only ones that have “premium” IP ranges are enterprise customers and I presume scenarios like these are the main reason why that is even a feature.

So it’s clearly not the above-mentioned IP address they’re flagging, as that’s definitely not a Cloudflare IP address you’re sending from. But if a spammer sends email with a link to some site on a shared IP address, all those domains are marked as spammers. That’s idiotic.

Sure…until Spamhause flags that one because a spammer provides links to a hostname over there. And, no, Spamhaus doesn’t want to hear from you:

However, if your IP is listed on the Spamhaus Blocklist (SBL) removal can only be requested by your Internet Service Provider (ISP).

And you can bet that if this ever happens to Spamhaus, they’ll remove that block in a heartbeat…no need to hear from the ISP.

You are right…

I see two main problems:

  1. Spamhaus use idiotic flagging - all domains on one IP, even when only one domain is “bad”.
  2. Cloudflare doesn’t care who is using their services (malware, pishing and so on).

Unfortunately it’s probably impossible to speak with someone who is able to do something about it…

That would be a violation of ToS 2.7 and should be reported at cloudflare.com/abuse

I wrote to abuse team 5 days ago and still no reply, so I have lost hope already…

They’re not a very talkative bunch. If you provided a domain name of the offender and the offense, they’ll decide if it’s grounds for termination. They usually don’t respond unless they need more info.

Other possibility is as I said above Cloudflare IP on spamhaus.org - #11 by eva2000 that a lot of the domains for that CF IP listed by taosinteligence are support/ticket system domains support.* domains and you know ticket systems have a lot of automated emails for the confirmation of receipt/closing and follow ups. Some end users could be flagging those automated ticketing emails as spam rather than unsubscribe or deal with them properly.

1 Like

I think the main reason for the listing are the malware/pishing/fraud domains on this IP.

It’s possible to see them in details on spamhaus listing:
https://check.spamhaus.org/listed/?searchterm=SBL522278

For example:
2021-05-17 17:14:09 - cloudflare.com

Carding fraud site/forums: darksociety.cc ( valid.mn ) (escalation)

darksociety.cc. 299 IN A 104.21.8.249
darksociety.cc. 299 IN A 172.67.188.218


Was:

darksociety.cc. 1798 IN A 5.206.227.172


Was:
darksociety.cc. 1798 IN A 185.11.146.215

2020-03-30 12:27:18 darksociety.cc A 185.11.146.215
2020-12-21 11:20:54 hhh.darksociety.cc A 185.11.146.215
2020-12-20 11:48:37 www.test.store.darksociety.cc A 185.11.146.215

valid.mn. 599 IN A 185.11.145.249


etc…

It’s very unfortunate to have such “neighbors” on your IP and be unable to change it…