Cloudflare IP on spamhaus.org

help25 · May 17, 2021, 8:23pm

Hi,

our company has email deliveribiality issues.

I have found out it’s because IP, which use our domain, is blacklisted on Spamhaus:
https://check.spamhaus.org/listed/?searchterm=SBL522278

Our domain is ok, it’s because of other domains, which share our IP on Cloudflare.

I have tried contact Spamhaus, they replied, that Cloudflare must ban the malware domains to remove the IP from Spamhaus.
I tried to contact Cloudflare support, but I have no reply from them several days.
I suppose it’s because this domain has free plan.

Do you know if better plan - Pro - will help us solve the issue?
If we could for example change IP?

Thanks, regards,
Petr

sdayman · May 17, 2021, 8:25pm

For no good reason, they do this from time to time.

help25 · May 17, 2021, 8:36pm

Thanks a lot for your reply.

If I understand corectly, it would not help us, if we upgrade to pro version of Cloudflare?

We will have to move our services elsewhere then, at this moment a lot of our email communication is blocked.

michael · May 17, 2021, 8:46pm

Have you configured your domain with the relevant configurations, like SPF, DMARC etc?

sdayman · May 17, 2021, 8:56pm

Judge posted that link as the first reply in that other thread.

help25 · May 17, 2021, 9:00pm

We have unfortunately all settings ok - SPF, DMARC, DKIM.

I have checked using gmail, www.mail-tester.com.

The only issue in our emails is the IP spamhaus
0.6 URIBL_SBL Contains an URL’s NS IP listed in the Spamhaus SBL blocklist

Unfortunately it’s very important parameter for https://talosintelligence.com/ service (Cisco).
And almost all of our big clients use talosintelligence to check emails, so we are not able send email to them.

I suppose, it’s something new - we have detected this one week ago for the first time.

sdayman · May 17, 2021, 9:11pm

More important than SPF, DMARC, and DKIM? That’s absurd. Have any of your clients complained to Talos?

help25 · May 17, 2021, 9:25pm

Yes, it’s really the reason for them to block the email (give poor reputation to the IP, which means block for it),

Reasons for Poor Email Reputation:

Our sensors have received emails from your IP that contained links to domains hosting or distributing malware
( https://talosintelligence.com/reputation_center/support#email-rep2 )

So they do DNS lookup, find IP of our domain and because it’s in the spamhaus db, our IP has poor reputation. It’s crazy…

It is unfortunately very important for us - our services use biggest companies in our coutry and almost all of them use talos. And because we are small company, we must solve it…

So if Pro version will not help us to change IP, we must change cdn provider…

Thank you for all your help…

eva2000 · May 17, 2021, 9:48pm

Interestingly talosintelligence also use Cloudflare themselves

dig +short NS talosintelligence.com
fiona.ns.cloudflare.com.
lakas.ns.cloudflare.com.

wonder if they haven’t properly configured restoring real visitor IPs on talos’ end and mistakenly picking up Cloudflare IPs ?

sandro · May 17, 2021, 9:51pm

Will they block themselves if they happen to get blocklisted addresses assigned?

eva2000 · May 17, 2021, 9:53pm

who knows but they’re clearly logging Cloudflare IPs in their database for email volumes https://talosintelligence.com/reputation_center/lookup?search=CloudFlare&org_lookup=1

edit looks like for example CF IP = 104.16.51.111 is returning alot of domains behind Cloudflare for .zendesk.com, hushmail.com, sendgrid, support. subdomains so looks like domains where alot of emails are being sent through. Just for *.zendesk.com domains there’s over 10,000 results for that IP address.

@cs-cf @cloonan maybe Cloudflare can make sure some of the flagged CF IPs are properly being configured by CF customers on their end too ?

help25 · May 17, 2021, 9:57pm

I think talosintelligence use spamhaus.org db to check malware domains. So the problem is Cloudflare’s IP in spamhaus.

And it’s quite funny - spamhaus use Cloudflare as well.

So spamhaus and talosintelligence could both block themselfs easily .

jnperamo · May 17, 2021, 10:11pm

As far as I know, the only ones that have “premium” IP ranges are enterprise customers and I presume scenarios like these are the main reason why that is even a feature.

sdayman · May 17, 2021, 10:16pm

So it’s clearly not the above-mentioned IP address they’re flagging, as that’s definitely not a Cloudflare IP address you’re sending from. But if a spammer sends email with a link to some site on a shared IP address, all those domains are marked as spammers. That’s idiotic.

Sure…until Spamhause flags that one because a spammer provides links to a hostname over there. And, no, Spamhaus doesn’t want to hear from you:

However, if your IP is listed on the Spamhaus Blocklist (SBL) removal can only be requested by your Internet Service Provider (ISP).

And you can bet that if this ever happens to Spamhaus, they’ll remove that block in a heartbeat…no need to hear from the ISP.

help25 · May 17, 2021, 10:28pm

You are right…

I see two main problems:

Spamhaus use idiotic flagging - all domains on one IP, even when only one domain is “bad”.
Cloudflare doesn’t care who is using their services (malware, pishing and so on).

Unfortunately it’s probably impossible to speak with someone who is able to do something about it…

sdayman · May 17, 2021, 10:54pm

That would be a violation of ToS 2.7 and should be reported at Abuse approach - Cloudflare

help25 · May 17, 2021, 11:03pm

I wrote to abuse team 5 days ago and still no reply, so I have lost hope already…

sdayman · May 17, 2021, 11:11pm

They’re not a very talkative bunch. If you provided a domain name of the offender and the offense, they’ll decide if it’s grounds for termination. They usually don’t respond unless they need more info.

eva2000 · May 17, 2021, 11:33pm

Other possibility is as I said above Cloudflare IP on spamhaus.org - #11 by eva2000 that a lot of the domains for that CF IP listed by taosinteligence are support/ticket system domains support.* domains and you know ticket systems have a lot of automated emails for the confirmation of receipt/closing and follow ups. Some end users could be flagging those automated ticketing emails as spam rather than unsubscribe or deal with them properly.

help25 · May 18, 2021, 6:43am

I think the main reason for the listing are the malware/pishing/fraud domains on this IP.

It’s possible to see them in details on spamhaus listing:
https://check.spamhaus.org/listed/?searchterm=SBL522278

For example:
2021-05-17 17:14:09 - cloudflare.com

Carding fraud site/forums: darksociety.cc ( valid.mn ) (escalation)

darksociety.cc. 299 IN A 104.21.8.249
darksociety.cc. 299 IN A 172.67.188.218

Was:

darksociety.cc. 1798 IN A 5.206.227.172

Was:
darksociety.cc. 1798 IN A 185.11.146.215

2020-03-30 12:27:18 darksociety.cc A 185.11.146.215
2020-12-21 11:20:54 hhh.darksociety.cc A 185.11.146.215
2020-12-20 11:48:37 www.test.store.darksociety.cc A 185.11.146.215

valid.mn. 599 IN A 185.11.145.249

etc…

It’s very unfortunate to have such “neighbors” on your IP and be unable to change it…

Topic		Replies	Views
CloudFlare Domain Server IP listed as a SPAM IP Security	2	3490	November 13, 2021
IP Blacklisted by SpamHaus DNS & Network	10	3508	June 4, 2021
IP of cloudflare 172.67.144.243 is blacklisted in spamhaus Security	3	3177	July 22, 2021
Cloudflare’s 172.67.132.126 blacklisted by spam haus DNS & Network	2	2386	June 22, 2021
Cloudflare's 172.67.212.0/23 blacklisted by spam haus DNS & Network	11	4357	May 18, 2021

Cloudflare IP on spamhaus.org

Carding fraud site/forums: darksociety.cc ( valid.mn ) (escalation)

Related topics