I have put in Cloudlflare the following IP rule for my website:
220.127.116.11/16 All websites in account Block
But a few minutes ago a spammer was able to use a contact form in my website. The email I received says that the IP address of the spammer is 18.104.22.168. This IP address should have been blocked by the range I set. Why were they able to use the contact form in my website?
a few possibilities
your DNS entry is orange-clouded, correct? if the traffic’s not passing through Cloudflare it wont be blocked
try temporarily blocking your own IP in the EXACT same way and verify that you really get blocked (might have to block both your IPV4 and IPV6 IPs)
did you actually see them in your origin server log? if your contact form submits data to a third-party service, it’s possible they’re bypassing your website entirely and submitting directly to that service (you’d have to check the settings/documentation for that service for mitigation options)
also, they could have been connecting to your website via IPV6, but then submitting to the third-party service via IPV4 (i.e. if the service doesn’t support IPV6). So you might be blocking the wrong IP. Again, origin server logs, assuming you have your logs correctly set up to show the real visitor IP.
They could also be hitting your website but bypassing Cloudflare, not hard to do if they know your origin IP and you haven’t taken mitigation steps. There are ways to mitigate this but you probably want to verify that’s actually what’s happening before you waste time on mitigation. I personally include the “cf-ipcountry” in my Apache logs so that if I see a “-” in that field I know that Cloudflare was bypassed.
also what does your block rule look like? here’s how I did it and it definitely worked:
And then I have a list that (so far) only has one entry in it (since my spammers only use IPV4):
Using lists make it easy to add/remove stuff as needed and have it apply to all your domains (once you’ve set up all your domains with a rule pointing to the list)
it’s also easy to add myself to the list temporarily for testing.
This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.