Been using CloudFlare for a number of months now and really happy with how it all works.
I’ve been keeping an eye on the firewall section, and noticed some strange behaviour. Nothing wrong with CloudFlare, but just something I’m curious about.
We have a system which generates a unique page link, which we email to a client to view. The link itself would not be possible to guess, and links are not shared between clients. Since we’re based in the UK, we have set “JS Challenge” to all countries outside the UK.
We see our UK users clicking on these links, and they’re not challenged or impacted in any way.
However, in a small number of cases, around a similar time that a UK user views one of the links, there will also be a JS Challenge triggered in the firewall for the same link, outside the UK (often somewhere like France, India or the USA). These challenges don’t make it to our origin, which makes me think they’re definitely a bot. In some cases the IP addresses look clean, in other cases they have a small number of complaints listed in abuseipdb.com
So I guess my question is, how are bots getting these links, given that they are very much random and difficult to guess, and the foreign visits kind of coincide with when a UK visitor goes to the link. Could it be some kind of email scanning service that the client employs? Or perhaps their computer has malware, which makes a note of any links they click on and sends it back to a bot to investigate?
I’m not looking for any difinitve answers, but just some clues as to whether there could be legitimate reasons for this happening.