Getting Hundreds Of Exposed Origin Warning Emails From Net Observer

Hello everyone!

Overnight and this morning I have been receiving literally hundreds of warning emails from netobserver. org saying my website’s origin is being exposed due to my Cloudflare setup. Only the very first email actually mentioned a web address that I own, the rest I had never heard of before. Here is an example of one of those:


This message relates to the security of your website at razas. net.

You are receiving this email because, your website’s origin IP address: {ip redated} is exposed and vulnerable due to a security vulnerability in your current Cloudflare setup.

This means that hackers can attack it directly by bypassing your Content Delivery Network’s firewalls and Denial of Service mitigation systems.

Go to https:// netobserver. org/website-exposure-test.php?domain=razas. net to run an updated report and to get up to date instructions on best practices for how to patch this vulnerability.

NetObserver. org
Protecting Digital Security
By the people, for the people

When I went to the Net Observer web site and ran the test for my web site, the results said it was exposed, and an IP address was provided. When I put that IP address into a web browser, it did go to the root directory of my account (the web site in question is in a sub-directory of my main domain).

Anyone have any information on what this is all about? I have not made any changes to my Cloudflare setup in months.

Your email is likely hosted on the same server as your website, so your Mx record exposes the IP of the site. There’s not a way to change that short of either a. moving your email to another server/service or b. using a 3rd party mail filtering gateway like Mimecast as your public facing Mx.

I have no idea who the Net Observer folks are, but if they sent you hundreds of emails they likely have a bug in their systems. You might ask them to fix their systems. :slight_smile:

Thanks for the response. Do you know if having the IP address exposed is actually a security threat? Can’t anyone find the IP of a web address by simply using Ping or Tracert?

One of the features of Cloudflare is that when we proxy traffic :orange: it obfuscates the origin IP address. Some traffic like FTP and SMTP can’t be proxied.

Is it a security threat? Yes? It sort of depends. I guess technically anyone can be the target of a DDoS attack and this would allow an attacker to determine your true origin IP to attack it bypassing Cloudflare.

There’s no way this won’t sound condescending (and I promise it’s not my intent) but in general, if your hosting config is such that your webserver and SMTP server are on the same box the odds you’d make a prime DDoS target are somewhat low. Now there are all kinds of caveats and exceptions I’m sure, but as a general rule it tends to be true in my experience… if you think you are an exception to that, then cool… best first next step would be to move the mail server to another box or service provider.



I got last night ~100 of this emails. All for domain names I have never seen before.
These mails are send to XX email address at the same time and my email address is the one I use only for whois profiles. The MX records for my domain are from Google so the whole message is fake.

1 Like

Ditto, Just got blasted today.

I have received a similar email and it’s very good campaign for spam try to steal users from Cloudflare…
If you take a look at whois data for netobserver .org you will see
Registrar Registration Expiration Date:
Registrar: Epik Inc.
Registrar IANA ID: 617
Registrar Abuse Contact Email: [email protected]
Registrar Abuse Contact Phone: +1.4252025160

If you go on their website, once you insert any kind of domain that use Cloudflare you will “strongly suggested” to use “bitmitigate .com” service and guess who is the company owner? (don’t look at whois data for bitmitigate they use privacy protection")
It’s still Epik Inc :joy:


Anyway if you have any kind of DNS record on Cloudflare that doesn’t have reverse proxy enable they consider it as a security flaw

This topic was automatically closed after 30 days. New replies are no longer allowed.