Could you be any less helpful or inane?

Following up on threads like the one above, and many others along the same line of inquiry, which have received idiotic responses from support staff. Blacklisted IPs is a valid and genuine question, To which CF staff respond, 'Those settings are set by the domain’s owner, you need to contact the owner …" or similar half-truth, sets the circular circus in motion. But the site owner says she has implemented no blacklist.

This is then followed by elementary if not insulting suggestions. I won’t replay the dialogue.

Hello? Are there any databases incorporated into your services? Any third-party data? Let me guess, Spamhaus perhaps? Others?

Cutting to the chase - DNS Blacklists, in their attempt to filter email spammers, cast nets widely with ill-defined parameters Often based on IPv4 environments. A first level, pass-fail filter at one of these rejects IPs that lack rDNS. So an ISP rooted in IPv6 which provides dynamic IPs to clients, and following IPv6 convention, those IPs will likely have a generic rDNS or no rDNS. Boom, a whole category of false positives.

At least one DNSBL wields a core logic that presumes every IP is an email server. To get de-listed you’re going to have to prove your’re IP is not an email server. Best wishes and good luck.

Most troubling is the pay-to-play feature. If you don’t have time to round up and submit documentation, you can pay a fee to get de-listed. More like extortion that and anti-spamming service.

Cloudflare please, let’s have some accountability instead of shirking it.

1 Like

It looks like all of these services like Cloudflare are so terrified of spammers that they hide all of their internal logic and security rules from the world. Innocent people then get denied service to many websites for reasons outside of their control. It’s very unfair and borderline sociopathic. No one cares about well-intended end users.

Since it costs money to respond to support requests, Cloudflare could let end users open up trouble tickets for - say - $25 and then do a legitimate investigation trying to understand why service is denied. That might involve talking to the partner company and investigating their security rules. Maybe Cloudflare could inform the partner company how they are using some security feature with unintended side effects.

Especially with Google’s “Captcha” service sometimes asking for four or more Captcha sequences, it feels like the Internet is becoming an increasingly dysfunctional jail in which users waste 10% of their day answering security challenges.

No one who works for Cloudflare participated in the linked thread.

No one in the community forum has access to a specific customer’s account and if they did they wouldn’t be able to share them with you. The site owner would be able to look at their logs if they choose to determine how/why the request was blocked assuming they have the needed information and inclination.

https://support.cloudflare.com/hc/en-us/articles/200170056-Understanding-the-Cloudflare-Security-Level

Additional information in the support knowledge base and documentation.

Cloudflare doesn’t use Google’s captcha service and has documented numerous strategies they are pursuing to reduce/eliminate captchas.

4 Likes

You can’t seriously suggest that Cloudflare discloses a customer’s settings to you, a completely stranger in this context.

The site owner is fully entitled to take the Ray ID that you are presented with on the 1020 page & ask Cloudflare Support as to why that occurred, or check the activity log themselves on https://dash.cloudflare.com/?to=/:account/:zone/security

Ditto. Disclosing why you got a 1020 means disclosing a customer’s security settings, something you have absolutely 0 entitlement to.

Or you contact the site owner whose site you’re having issues with since they’re the ones who have a support entitlement as a Cloudflare customer.

Y’know, the same way that if you buy a Dell laptop from Amazon then you speak to Amazon to return a broken laptop instead of asking Dell directly for a refund.

There’s only one answer and if you don’t like that answer, asking again won’t change it. A 1020 is something that only the site owner can change. Cloudflare will not change, disclose or overrule a customer’s settings.

Unless I’m missing something, how is this relevant to Cloudflare or the 1020 you’re experiencing?

Add onto this everything that @cscharff has pointed out as well as what you’ve already been told in the original thread and this doesn’t seem to be a whole lot more than a rant to claim that Cloudflare has some master scheme to block you specifically from the internet.

3 Likes

The problem with your description of Cloudflare 1020 is that in every case the Cloudflare customer has said to me “We looked everywhere and there is no security setting for you that is different than anyone else”. They are not even aware that 1020 means they need to talk to Cloudflare. So while it is technically correct that a 1020 means a customer has security settings and must change those, in reality the customers often have no clue what 1020 is or how they implement settings for it, or how they investigate those settings on behalf of their end-user customer.

My guess is that a single employee or team within a company has set security policies that affect the 1020 code, and none of that information is available to the line employees of companies who deal with customers. This results in an untenable situation where Cloudflare points to the customer, and the customer says “we have no clue what is going wrong here or why”? At both ends of this spectrum, the end user has no way to resolve issues.

The instructions are on the page.

image

The ‘Firewall Events Log’ will tell them exactly which rule was triggered.

Ditto.

Ditto.

As in the person being blocked? Of course they don’t, they shouldn’t have a bypass to a security solution.

As in the site owner? It’s been explained numerous times.

I will bookmark your reply and in the future I will try to educate Cloudflare customers about how to investigate Cloudflare error codes. To date, no Cloudflare customer has ever shown any interest in investigating a Cloudflare 1020 error code, even when I give that to them. Maybe no one trained them how to do that, or maybe as I hypothesized the line employees do not have access to that Cloudflare firewall log.

I wouldn’t say there’s particularly any training to it - either they read the error page or they Google the error which would lead to https://support.cloudflare.com/hc/en-us/articles/360029779472-Troubleshooting-Cloudflare-1XXX-errors#error1020

Cloudflare can’t make any decisions on the customers behalf as to who they do and don’t give access to the dashboard & certainly shouldn’t move information from the logs to the block page.

If the customer wants to unblock you or change their rules is entirely their choice and one that Cloudflare can’t influence or make on their behalf. Cloudflare just provides the tooling.

Cloudflare says “Customer needs to research 1020 on our website and unblock you”

Customer says “We did NOTHING to block you”

How can Cloudflare not see this as a problem? Cloudflare is saying the blocked the customer per the customer’s security settings, and the customer is saying they have no security settings that affect me. The customer is likely wrong, but proving that to the customer is impossible for the end user.

Couldn’t Cloudflare at least develop more detail in the text of its 1020 message to the end user? For example it could say “Customer CrazyBanana has set a security policy that blocks your access to the site”. You don’t have to reveal the actual details of the security policy. But the message should be sufficiently detailed that the customer will be forced to investigate its Cloudflare rules.

It does…? Absent specifically naming the customer.

The site owner may have set restrictions that prevent you from accessing the site. Contact the site owner for access or try loading the page again.

The access policies of a site define which visits are allowed. Your current visit is not allowed according to those policies.

Only the site owner can change site access policies.

It also gives specific instructions, and a guide, on how to identify which rule was triggered for your request.

It’s really nothing that Cloudflare can change that the site staff you speak to don’t know how to follow a very simple guide.

The issue here isn’t with Cloudflare, it’s that you’re speaking to people who probably don’t have access to the dashboard and that’s completely out of Cloudflare’s hands and responsibilities.

I don’t want to repeat myself too many times, but the firewall event log names the exact rule and expression that blocked you. You can’t get more verbose than that.

2 Likes

In the last case I documented, I went to the website and it said “This website is using a security service to protect itself from online attacks.”. At the bottom of the page it references a Cloudflare “ray id” and says “performance and SECURITY by Cloudflare”. None of that suggests a static security rule configured by the website. That website disappeared as a website so now I cannot repeat.

When you say you are using a security service, that does not specifically imply that the customer is the one who configured the security rule. Cloudflare should make that explicit: “Customer XYZ has configured a security rule that has affected your access to their website”. Don’t leave it ambiguous.

This thread (and the linked original thread) is about 1020 which you can see here: https://cloudflare.com/cdn-cgi/error/1020

Of which, it doesn’t say what you’ve quoted.

Assuming you’ve used Cloudflare, you’d know firewall rules are something configured explicitly by the user. Rules added by Cloudflare are called Managed Rules.

If you wasn’t aware of this, then it doesn’t matter since you as an end user don’t have the ability to change those whereas the site owner would be explicit told which of their user-configured rules blocked you in the firewall event log.

This isn’t something that the average end user needs to know - all they know is they were blocked (as it says) by a policy the site owner setup (as it says) and they should get in touch with the site owner and provide a ray ID (as it says) which will tell the site owner which rule caused it (as it says).

There’s no need for any more information on there - Cloudflare themselves hasn’t blocked you, a customer has used Cloudflare’s tools to block you and Cloudflare really aren’t involved in the context of telling you what it was or how to get past it as they shouldn’t.

You may be well-intentioned but not everyone is and giving away too much information about a rule means giving more information to bad actors who can use that to find a way around & continue their attack.

The site owner, as the customer and operator, are the only ones with the information & they have a wealth of information available in the documentation, the error page and their entitlement to Cloudflare support to decide what to do with this information.

The 1020 error message you point me to is now clear. That is not the error I saw previously. Maybe they updated and improved it.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.