Slack Bot Link Expander is blocked by Cloudflare

Website, Application, Performance Security
1

Answer these questions to help the Community help you with Security questions.

What is the domain name?
https://williamlam.com/

Have you searched for an answer?
Yes

Please share your search results url:
https://community.cloudflare.com/t/requests-from-slack-blocked-by-bot-fight-mode/516879
https://community.cloudflare.com/t/the-never-ending-nightmare-of-bot-fight-mode-blocking-legitimate-apis/421070

When you tested your domain, what were the results?
403 blocked by Cloudflare’s Bot fight mode

Screenshot 2023-07-20 at 8.51.14 AM
Screenshot 2023-07-20 at 8.51.14 AM1013×453 52.7 KB

Describe the issue you are having:
Preview is unavailable when posting a Wordpress blog post into Slack. Contacted Slack and they said their Bot is listed as Rank 34 but Cloudflare is blocking the SlackBot which is responsible for link expansion. They said there’s nothing they can do on their end and said I need to work with Cloudflare

What error message or number are you receiving?
403

What steps have you taken to resolve the issue?

  1. Verify no existing firewall rules
  2. Contacted Slack Support

Was the site working with SSL prior to adding it to Cloudflare?
Yes

What are the steps to reproduce the error:

  1. Attempt to share blog post (https://williamlam.com/2023/07/building-custom-tanzu-kubernetes-releases-tkr-for-vsphere-with-tanzu.html) on Slack and preview is unavailable

Slack also provides tool to test unfurling https://api.slack.com/tools/unfurl-debugger and returns 403 as alternative confirmation

Have you tried from another browser and/or incognito mode?
Yes

Please attach a screenshot of the error:
Attached above

3

The block was performed by Bot Fight Mode. There’s currently no way to exempt specific paths from BFM. You need to turn it off.

4

and other users are okay with this? I find it quite strange that Slack has submitted for Bot Verification and yet CF isn’t adhering to this and the only option is to disable the protection? Was there a change in process recently as this used to work at least late last year and I had only noticed when folks were sharing in Slack, things weren’t getting rendered. I’ve not seen this problem across other platforms where preview was breaking, so I find this a really strange issue that folks seem to be aware but are okay with …

5

Both BFM and SBFM are subject to false positives. The standard recommendation is that BFM should only be used during an attack. If your domain is under current attack by bots, you’ll need to find out what’s more important: to protect you domain, or to share URLs on Slack. An alternative would be to upgrade your plan, as paid plans can use Super Bot Fight Mode instead, and for this you can create WAF custom rules with Skip action.

That, of course, says nothing about Slackbot being or not being verified. That’s an issue for Slackbot developers to bring up with Cloudflare Team, as verified bots should not be subject to the actions of Cloudflare bot products, AFAIK.

1 Like
6

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.