I have some experience on this field. Around two years ago i was a DevOp for the company running Dagbladet, Norways #2 newspaper. One of the things I did was keep an eye on mysterious traffic.
I managed to find a huge spam network that set up a proxy service that delivered normal content, but injected "you can win an iPhone!" spam to all users visiting them.
Since I was in the position of being able to monitor their proxy traffic towards many sites I managed. I could easily document their behaviour.
In the same time, I wrote a crawler that visited their sites over a long, long time. I learned that they kept injecting hidden links to other sites in their network, so I did let my bot look at those also.
By this time, I also got a journalist with me that started to look at the money flow to try and find the organisation behind it.
My bot found in excess of 100K domains being used for this operation, targeting all of westeren Europe. All the 100K sites contained proxied content and was hidden behind Cloudflare, but thanks to the position I had, I managed to find their backend anyways.
We reported the sites to both CF and Google, and to my knowledge, not a single site were removed before the people behind it took it down.
Oh, and the journalist? He did find a Dutch company that was not happy to see neither him or the photographer :)
> We reported the sites to both CF and Google, and to my knowledge, not a single site were removed before the people behind it took it down.
As someone that tried reporting spam sites because they were using content scrapped from my website, I'm not surprised.
Cloudflare has a policy that they will not stop providing their IP hiding/reverse proxy services to anyone, regardless of complaints. The best they do is forward your complaint to the owner of the website, who is free to ignore it.
They say "we're not a hosting provider" as if that's an excuse that they can't refuse to offer their service. I'm sure many spam websites would go away if they couldn't hide behind Cloudflare.
> The best they do is forward your complaint to the owner of the website, who is free to ignore it.
Or worse. Since I have no way to know beforehand who I would be dealing with, this is actively dangerous - what if the mobster running this site is having a bad day and choses to retaliate ?
Also what a stupid fucking policy that is. Even if you are not legally compelled to block content, what is the point of actively helping distibute harmful content?
What they are doing is worse than just saying "We are not a hosting provider" - because while what is true, they are actively distributing content that is hosted elsewhere while hiding who is hosting it.
One can easily write an email to abuse@hoster.example.com and usually these people do not want garbage on their networks. CF is making it impossible to do notify them, and they refuse to implement an alternative procedure.
I still do not understand the moral position of profiting off of enabling criminal scum, when it would be so easy not to...
I do not think that it is up to Google or CloudFlare to police the internet. If a site is doing something illegal then report it to appropriate gov agency. If gov agency does not anything then get involved into political process to fix that.
If Google, or CF, or whoever are fronting illegal activity with their services, they are absolutely responsible for damages the party they are proxying.
Platforms must be responsible for the content they are hosting, broadcasting, and publishing.
One to one communications between two people exchanging ideas and having a private discussion is different from mass broadcasting.
> Platforms must be responsible for the content they are hosting, broadcasting, and publishing.
> One to one communications between two people exchanging ideas and having a private discussion is different from mass broadcasting.
The highway is used both by those visiting their friends and those doing mass deliveries. Is it the job of the highway maintenance crew to control for what purpose their network is used?
The "owner" of the highway is the government, who regulates commercial traffic differently to personal traffic. The government places strict rules on who is allowed to use the highway, and how it is used.
The highway maintenance crew is akin to the person installing racks for CloudFlare.
Highway are a poor analogy for information broadcast systems in general. Highways are closer to a one to one transmission system rathe than a broadcast system of one to many.
They're already removing things they don't like. I see no reason why they shouldn't remove things that are objectively 100% harmful.
Like seriously, is there a single person on the planet that's going to defend online scams? It's immoral, it's illegal, it benefits no one and harms thousands. And it's not like it's very hard to detect and block either.
If someone were to tell AT&T that this call center customer of theirs is in the business of extorting people for money, they'd at least look at it and help law enforcement accordingly. Cloudflare has a talk-to-the-hand attitude until actively forced by law enforcement. That's an important difference right there.
At this point I'm convinced that at least 10% of all legitimate economic activity is actually money laundering for crime organizations, in various forms. I imagine that percentage goes even higher in the financial capitals of the world.
> what if the mobster running this site is having a bad day and choses to retaliate ?
I wonder if someone with malicious intent could set up a site designed to generate complaints (how exactly would be an exercise for the reader), put it behind Cloudflare, and purposely use the information in the forwarded complaints to harass, abuse, dox, or otherwise harm people.
>One can easily write an email to abuse@hoster.example.com and usually these people do not want garbage on their networks. CF is making it impossible to do notify them, and they refuse to implement an alternative procedure.
But that's exactly what CF does. They forward your abuse complaints to the abuse contact of the IP address hosting the content.
The retaliation is quite real—CF keeps your entire e-mail address and name in there, so you are essentially doxxing yourself. Pretty sure 8chan posted a lot of the reports they got back in the day.
They might take that stance, to avoid liability and complication.
At the moment, they have a very clear rule. If they stop providing services to obvious spammers, they will create lots of grey areas, and they will also implicitly make a judgement that the client they still serve are _good_ in some way, and an enterprising lawyer or muckraker might exploit that.
This may have had something to do with the fact that the daily stormer was claiming prior to that that their lack of suspension was an implicit endorsement by CloudFlare of their site and content.
Misuse of trademarks is a thing.
I agree, however, that CF's policies are applied arbitrarily.
Better known for being linked to the Christchurch and El Paso shootings, being the origin of the QAnon movement and having a history of hosting child pornography.
Facebook, reddit, MySpace and Twitter have all been linked to mass shootings and child pornography. None of these sites condone, enable or remotely desire such content.
> None of these sites condone, enable or remotely desire such content.
Yeah, and that's the difference, isn't it? 8kun might not condone any of these things, officially, but it very much enables and desires them.
This kind of discourse is seen as the "price of freedom", its presence a demonstration of absolute tolerance and blind faith in freedom of speech. Facebook, reddit, MySpace and Twitter are more strictly moderated and impose actual terms of service on their users' freedom of expression.
But of course this also means the people most motivated to join networks that offer guarantees of free speech absolutism are those whose discourse is not tolerated by these mainstream alternatives. And their presence will almost guarantee an absence of "normies" who don't run into the limits of their freedom of speech on the moderated networks much and feel uncomfortable around the former group.
Heck, the only reason 8chan ever became large enough to be widely known was because 4chan evicted Gamergate. And 4chan isn't exactly known for its strict moderation and suppression of political views.
Moot was trying to be friends with the people in that circle. A girl he was trying to date didn't like it. He was taking awkward babysteps towards his lackluster job at Google where he would never be promoted or accomplish anything meaningful again.
How is that different from a hosting provider that has to address legal complaints regarding spam, copyright infringement, etc. on their servers? Just like a hosting provider, they specifically have a relationship with the website owner to provide the reverse proxy service. It's not like they can say "we don't know who or how our service is being used".
It seems to me that if they want to be in this business they have to deal with these liabilities and complications, not hide behind some vague "our hands are tied" language.
Presumably if illegal content is not taken down by the customer then the host cancels the service, right? Otherwise the host risks liability. That's different from revealing the IP of a customer which requires a court order.
If their argument is "we only retransmit what we get, with caching" then they are in the same place liability-wise as the phone providers ("We only retransmit what we et, with caching").
In other words, a common carrier.
Hosting is different. For exmaple, Youtube is not liable for what their users upload. They comply with takedown notices because they host the content, not the user.
But in a way, they actively host the content. The fact that their server periodically retrieves new content from a different backend makes no difference. The page sits on their hard drives and is server by their servers when I visit that domain. It's always been a very, very thin argument and it has gotten even thinner with the likes of Cloudflare Pages and Workers.
Cloudflare is just a huge company actively ignoring abuse complaints and somehow they are getting away with it. It even helps their PR to a certain market segment.
They even still host kiwifarms, a board that is primarily known for its vicous harassment of people and is known to have driven multiple innocent people to suicide.
I consider CloudFlare a bad actor at this point and I wish the other big names around them would too. They are subsidizing crime with VC money.
I've been reporting hundreds of spam sites to Cloudflare, but always get the same lame excuse. Godaddy the same. Meanwhile good content drops in Google rankings and spam moves to the top.
You are missing the point of the complaint, which is that it's a private decision to hold that policy. Maybe it was a bad idea to use the word "line", but the intent still stands unadressed.
Yes. Also to the incident where they stopped hosting 8chan after they vowed to never take sides again.
You can agree with Cloudlare not providing services to those sites as much as you want, but you cannot pretend that Cloudflare hosts everyone equally. They cannot use that as an excuse to not deal with spammers.
> All I'm saying is that we won't know until they come under pressure again
That's also true of people who haven't murdered anyone yet, though.
Whom do you trust more? The person who did something and vowed to never do it again, or the person who didn't vow anything? I tend to prefer the former.
When it comes to murdering someone, I'm going to prefer the person who has never murdered anyone yet.
When it comes to service providers, I would tend towards your direction. They did a thing that had conflicting ethics on each side, weighed the outcome and their ethics, and then made a hard decision for the future. What they did could be reversed, too, and didn't cause much permanent damage.
Murdering someone is very permanent and should take a lot more initial consideration.
This is very rational of them. They position themselves as a pipe for "bytes", not "content".
By ignoring the content they serve, they rid themselves of the necessity to analyze and judge what they serve. Not only would this require a brain the size of a planet and the expense of running it, but also would inevitably conflict with someone else's judgments, and bring various PR woes.
They don't analyze the internals of their traffic the way internet backbone providers don't analyze the internals of the traffic they pass around.
I frankly find this position superior: imho it does more good by preventing censorship than harm by serving good-intentioned and bad-intentioned customers alike.
In fact I completely agree with that stance. It's not cloudfares job to police the content. They provide a simple service. If something is unlawful law enforcement should go after the owners.
That sounds like a hell of an investigation, and now my curiosity is running. 100k domains sounds like an huge amount of logistics on their side to keep it all running. It would be interesting to read about how a spam company manages that kind of infrastructure compared to a "legit" company.
Legit company will always have internal struggles between dev/sales/marketing, so things just take longer and are much more draining to accomplish. I'd imaginge spam org just needs to have bare minimum stuff up to satisfy whatever need it is they have knowing that humans won't necessarily be perusing those domains, yet it's 100K domains. I could almost see something like this running more smoothly. I can also see it being run by small number of people that let things lapse and it's just barely hanging together. So many questions...
It is not very difficult to manage: a company of mine was bought by a squatter (I found out after dealing with a broker for the sale; I had to integrate it with their 'tech team' and walked away after) and for many years already, this all has been fairly easy to automate. The registars have apis, cloud flare has apis. There was 1 tech guy keeping it all up and running and he didn't have to do anything. It would register and provision with content automatically. There is really almost no work involved besides keeping money in the registrar account and the costs are only the domains probably, maybe they have a little hetzner load balanced setup with 2 machines but that's likely it.
The reason you found so many domains is that they intentionally take down thier spam sites and reload them under a new domain every few hours. They do this so they can't be taken down by people reporting them as spam. They literally setup the next domain while the current one starts being used so they can do a live swap to the next one without interruptions to thier spam operations. This is typically done in an effort to spread Trojan malware to anybody running computers with out of date operating systems and browsers. Windows getting people off of Internet Explorer has been a huge hit for them as it reduces the number of possible vulnerabilities someone might have when they get sent to one of these Trojan spam sites.
did the article resonate with norwegians? I assume the report probably answered so many questions of the populace on google's malfunction, even if nothing came out of it
There is / are organisations that a) scrape legitimate sites for content, b) host that content on their own 100K domains, c) sit behind cloudflare, d) do some seo??? e) when someone finds their site they then inject an ad or similar rubbish f) do this enough that they make money off the ad / competition / porn ?
That seems like a problem that the ”original-source” metatag was supposed to stop?
Canonical urls help with noting your own purposeful duplicated content. But that meta tag goes on the duplicated content. So it doesn't help with scrapers, who strip that out.
But I thought that it was useful for google - who could find two caches with same content, one of which was 2018 one of which 2020 and both say "this is canonical". At that point the 2018 version is real and the other rejected.
Then again, you could just do it with publication dates ...
I managed to find a huge spam network that set up a proxy service that delivered normal content, but injected "you can win an iPhone!" spam to all users visiting them.
Since I was in the position of being able to monitor their proxy traffic towards many sites I managed. I could easily document their behaviour.
In the same time, I wrote a crawler that visited their sites over a long, long time. I learned that they kept injecting hidden links to other sites in their network, so I did let my bot look at those also.
By this time, I also got a journalist with me that started to look at the money flow to try and find the organisation behind it.
My bot found in excess of 100K domains being used for this operation, targeting all of westeren Europe. All the 100K sites contained proxied content and was hidden behind Cloudflare, but thanks to the position I had, I managed to find their backend anyways.
We reported the sites to both CF and Google, and to my knowledge, not a single site were removed before the people behind it took it down.
Oh, and the journalist? He did find a Dutch company that was not happy to see neither him or the photographer :)