Phishing abuse Cloudflare DNS

image
(can only put one pic in I guess so can’t show the error)
For some reason I cannot report abuse for phishing websites using Cloudflare as a DNS provider. Is this intentional?

You can go to abuse.cloudflare.com to report it. However your screenshot shows the domain is on “clientHold” so it looks like the registrar has already disabled it; the domain won’t resolve now.

1 Like

it’s still cached in DNS, so it does resolve depending on the network and I still get cloudflare human check. Reply shows that cloudflare won’t accept the complaint though, which is my main question. It seems like they should accept abuse reports for domains using their DNS.

Cloudflare has no authority over DNS resolvers operated by third party networks, and as such, won’t be able to do anything here.

If you see one or more networks where this is the case, you would need to reach out to operators of those DNS resolvers, to request that they flush the DNS cache of their DNS resolver (eventually, for the specific domain).

Due to the clientHold status, as mentioned above, the domain technically does not use any DNS at the point being.

Both clientHold and serverHold indicate that the domain has been suspended, and as such, it isn’t active in the DNS system any more.

2 Likes

Sorry, on my phone so I might get typos. I get that the register suspended it, but i still think it makes sense for cloudflare to accept reports. This particular phish was proxied through cloudlare and using the DDoS protection. Given this cloudflare is basically serving up the phish from their own servers, which with caching could be a significant amount of time for a phish on an institutional level where the targets are on a shared network. I agree that local admins could solve the issue, but when cloudflare is used as a proxy they could (and should) too.

@nlsproductions As the error message states, the domain was not active on Cloudflare anymore at the time, so there would be no point in reporting abuse after it has already been disabled.

1 Like

I’m kind of curious what “not active” means. When visiting the link I got


Clearly, it was still going through Cloudflare’s proxy (for at least an hour). The ICANN screenshot was the first one I took, so being able to report this to Cloudflare could have taken this down hours faster on networks where it was cached.

“Got” is past tense.

Do you “get” that now?

What exact date and time did you make this specific screenshot?

Got is past tense, yes. That screenshot is from April 16, 16:31 GMT-4 (about an hour after the registry update). I was getting that CAPTCHA for the remainder of my work day, but I did use a fresh device to VPN to a different network where that domain wasn’t cached, so that device couldn’t resolve the DNS. It has since become uncached, so it is no longer resolvable. The phishing site was using Cloudflare infrastructure for hours after the registry change, which I was trying to report. I would accept an answer that this is out of Cloudflare’s scope, but I figured that they would care about content proxied through their infrastructure.

So at a time where the issue was technically already resolved.

It seems like we’re at least three (3) people that have told you that already.

But again: It is.

I’m therefore closing this thread now.

1 Like