You can report a link that points to content on Google Drive or Dropbox or OneDrive or S3 or WeTransfer or MegaUpload or Bit.ly. Do you think that links pointing to any of those services are in any way anonymous?
You report Google Drive links to Google, Dropbox links to Dropbox, OneDrive links to Microsoft, S3 links to Amazon, WeTransfer links to WeTransfer, MegaUpload links to MegaUpload, and Bit.ly links to Bit.ly.
Apocryphally saying "they all suck at this but Cloudflare sucks most" is just moaning. Any free/near-free hosting or caching service can be used to distribute malware. Mail services have been used to push malware for decades, and while many of them filter content, that's a cat&mouse game a determined malactor will occasionally win.
Are they really "so much worse" than anyone else ?
(ex-CF so pillory me for ex-cusing my ex-employer; as said, to me, "all cooks use water")
First, their abuse reporting page has issues. The amount of data allowed to be pasted is very limited and won't allow the full content of most spam. If you paste the full amount, you can't submit, and you won't know why - you have to go and remove some content. It's rate limited so that even a human reporting multiple items has to sit and wait. You're forced to provide a URL that points to Cloudflare servers, meaning there's no way to report abusive domains for which they're the registrar and/or for whom they host DNS. They have a CAPTCHA on the abuse reporting form. I could go on, but it's tedious.
This company spent YEARS saying that they don't "host" anything, and they still play games in that their abuse reporting doesn't reflect any of the offerings that've been added in the last several years. They don't even have a category for spam!
So yes, they are "so much worse" than anyone else. They actively skirt responsibility.
> meaning there's no way to report abusive domains for which they're the registrar and/or for whom they host DNS
Yes there is: registrar-abuse@cloudflare.com
> This company spent YEARS saying that they don't "host" anything
Yes, for their "proxying" service, they take no action when it comes to that, all they will do is forward the report to the hosting provider.
> They don't even have a category for spam
Use the general category or abuse@cloudflare.com
> It's rate limited so that even a human reporting multiple items has to sit and wait. [...] They have a CAPTCHA on the abuse reporting form.
Yes, I agree. I reported hundreds of ".pages.dev" sites (hosted by their Cloudflare Pages service), the form restricts it to 1 unique domain per report, so I had to make hundreds of individual reports but they did take them down.
> they are "so much worse" than anyone else
I don't agree with this, in my experience they have taken action on some reports meanwhile some other companies have done nothing (DigitalOcean (Doesn't deal with any of my reports, known for being infested with bad actors, now they're the first ASN I block when I'm setting up a firewall), AWS (their customer spammed me for months, tried telling me the email didn't originate from them, but it did.), Dynadot (will not do anything without court orders, warrants) )
I don’t think you know how the internet works if you think you can police every single URL. Ok now I’ve hosted malware on 121.23.65.89. What are you going to do?
It's not complicated.