You can't report it to Cloudflare in any meaningfully straightforward way and expect them to take it down. Even if you go through Cloudflare's incredibly laborious and intentionally problem riddled abuse complaint process, and even if they take down one instance, bad actors can make thousands or tens of thousands (or more), so reporting this does effectively nothing.
Cloudflare is enshittifying the Internet once again.
(I don't care if this gets downvoted by CF fans - not a single one will engage meaningfully about any point asserted here)
Like I said, how is it different from Google Drive or Dropbox or OneDrive or S3 or WeTransfer or MegaUpload or Bit.ly or a million similar services anyone can set up in a matter of minutes? If someone shares a random URL and you click on it and download and run an executable on your computer, the server that hosted the file isn't the one to blame.
Most sites are better about preventing and handling abuse of their service. When a service makes it difficult to report abuse to them, or fails to act on the abuse reports they get, they are the ones to blame.
Scammers and assholes will always exist. It's the responsibility of everyone operating a service on the internet to make sure that their service isn't acting as a safe-haven for those criminals and bad actors.
Google is somehow worse than cloudflare is. I heard recently that Google won't even accept an abuse complaint for docs.google.com unless you create and sign into a google account.
You can report a link that points to content on Google Drive or Dropbox or OneDrive or S3 or WeTransfer or MegaUpload or Bit.ly. Do you think that links pointing to any of those services are in any way anonymous?
You report Google Drive links to Google, Dropbox links to Dropbox, OneDrive links to Microsoft, S3 links to Amazon, WeTransfer links to WeTransfer, MegaUpload links to MegaUpload, and Bit.ly links to Bit.ly.
Apocryphally saying "they all suck at this but Cloudflare sucks most" is just moaning. Any free/near-free hosting or caching service can be used to distribute malware. Mail services have been used to push malware for decades, and while many of them filter content, that's a cat&mouse game a determined malactor will occasionally win.
Are they really "so much worse" than anyone else ?
(ex-CF so pillory me for ex-cusing my ex-employer; as said, to me, "all cooks use water")
First, their abuse reporting page has issues. The amount of data allowed to be pasted is very limited and won't allow the full content of most spam. If you paste the full amount, you can't submit, and you won't know why - you have to go and remove some content. It's rate limited so that even a human reporting multiple items has to sit and wait. You're forced to provide a URL that points to Cloudflare servers, meaning there's no way to report abusive domains for which they're the registrar and/or for whom they host DNS. They have a CAPTCHA on the abuse reporting form. I could go on, but it's tedious.
This company spent YEARS saying that they don't "host" anything, and they still play games in that their abuse reporting doesn't reflect any of the offerings that've been added in the last several years. They don't even have a category for spam!
So yes, they are "so much worse" than anyone else. They actively skirt responsibility.
> meaning there's no way to report abusive domains for which they're the registrar and/or for whom they host DNS
Yes there is: registrar-abuse@cloudflare.com
> This company spent YEARS saying that they don't "host" anything
Yes, for their "proxying" service, they take no action when it comes to that, all they will do is forward the report to the hosting provider.
> They don't even have a category for spam
Use the general category or abuse@cloudflare.com
> It's rate limited so that even a human reporting multiple items has to sit and wait. [...] They have a CAPTCHA on the abuse reporting form.
Yes, I agree. I reported hundreds of ".pages.dev" sites (hosted by their Cloudflare Pages service), the form restricts it to 1 unique domain per report, so I had to make hundreds of individual reports but they did take them down.
> they are "so much worse" than anyone else
I don't agree with this, in my experience they have taken action on some reports meanwhile some other companies have done nothing (DigitalOcean (Doesn't deal with any of my reports, known for being infested with bad actors, now they're the first ASN I block when I'm setting up a firewall), AWS (their customer spammed me for months, tried telling me the email didn't originate from them, but it did.), Dynadot (will not do anything without court orders, warrants) )
I don’t think you know how the internet works if you think you can police every single URL. Ok now I’ve hosted malware on 121.23.65.89. What are you going to do?
