| |
| ▲ | embedding-shape 9 hours ago | parent [-] | | Ok, but what about as a CDN/website-proxy/WAF? I know we don't have the same automated reputation-propagation as with email, but same thing supposedly happens there, where eventually you get turned off if you don't act on lawful requests, which is exactly why Cloudflare is unavailable in Spain during La Liga matches, because Cloudflare don't take piracy streams down. In theory, Cloudflare should take those down, when requested by legal means, but that doesn't matter. How sure are we that they'll act differently for email, instead of trying to get rid of the reputation system instead? > getting that email to not be rejected totally IS rocket science and it's simultaneously an art form known only to a handful of email nerds working at the core of the big email sending services It really isn't, you need a clean IP and a clean domain, send handful of emails and you're pretty much whitelisted on most services out there. Maybe you'd say I'm one of the handful, but I personally know more than a handful others who also run their own email services, just like me, and besides the usual hassle of running your own service, as long as you don't spam, your emails will arrive as usual. | | |
| ▲ | ttul 8 hours ago | parent | next [-] | | I run an email sending service at scale (billions of messages per month, tens of millions of end users, thousands of customers). Most of our software development and operational effort revolves around abuse mitigation. That has been the case for 15 years. It's a cat-and-mouse game with two different mice: the senders, who are constantly trying to figure out how to get you to deliver their garbage; and the receivers, who are constantly trying to figure out how to block it. We're stuck in the middle. It's hard to appreciate how difficult this battle is when running at scale. | | |
| ▲ | embedding-shape 4 hours ago | parent | next [-] | | Right, I won't disagree with any of that, but I'm not sure how it's related to what I wrote either. Maybe I should have been more specific that I'm talking about hosting your own email, not hosting emails for others, which brings out a lot of other types of problems. | | |
| ▲ | ttul 3 hours ago | parent [-] | | Apologies. When you said "email services" I thought you were implying "email services for use by others". Yeah, you can definitely run your own mail server in 2026 and I think the internet community should always strongly endorse being able to do so. Unfortunately, large email receivers have to make do with imperfect signals when making filtering decisions, and your traffic from a lonely IP that happens to have a bad neighbour might get blocked as collateral damage. One long term hope: That domain name reputation eventually overtakes IP address reputation entirely. |
| |
| ▲ | i_think_so an hour ago | parent | prev | next [-] | | > I run an email sending service at scale (billions of messages per month, tens of millions of end users, thousands of customers). Giving you the benefit of the doubt and accepting your claim, doesn't that make you one of the people at least second-order responsible for the current state of affairs in email blocking? It would seem that your company, by dint of your volume, navigates roadblocks that the rest of us (ie. the 99.999% of Internet email servers and their admins), who aren't FAANG et al[1], have to deal with to get our users' legitimate email delivered. If so, could you perhaps give us a brief explanation as to why an otherwise competent engineer can "follow all the best practices" with their server which has no known compromises[2], on an IP address they have controlled for, oh, let's say a full calendar year, and yet still can't get off those FAANG et al default-deny blocklists, but you can?[3] A cynic might say that your service had a vested interest in paying for unimpeded access to those FAANG et al companies to get over the bar that the rest of us are unable to vault. A cynic might also say that those biggest of the big email services like it that way, because it drives more users to them at the expense of the rest of us 99.999%. I'll try to remain open to the possibility that there are aspects of the industry I've not yet had any exposure to, and refrain from chimping out over having my users blocked through no fault of their own. [1] Yes, I know, Facebook doesn't receive anywhere near as much email as they send, and Hotmail = Microsoft, etc. If I used an accurate acronym I could pat myself on the back for being Technically Correct, while nobody would know what the heck I was talking about. [2] We shan't digress into a discussion of hardware/firmware/OS/application backdoors nor Snowden disclosures. It's not that hard to auto-install security updates and run a reasonably tight ship with no unnecessary attack surfaces. [3] Or perhaps there aren't any default-deny blocklists at all, but in fact only much smaller default-allow whitelists? That would be cynical indeed. | |
| ▲ | pbronez 7 hours ago | parent | prev [-] | | What structural changes could we make to improve the situation? | | |
| ▲ | ttul 4 hours ago | parent | next [-] | | That is such a great question and there is no easy answer. There have been enormous efforts to do better for at least the last 20 years. An entire organization, M3AAWG, was founded for that reason and it meets three times a year, bringing together all the people that matter for making the situation better. It's a great organization and the people are all really smart and awesome. The IETF is no slouch either, coming up with excellent new standards and improving existing ones, such as the recent update to DKIM. That's about as good of an answer as I can provide: keep sending smart people to the conferences! | |
| ▲ | edoceo 7 hours ago | parent | prev | next [-] | | Signed senders? | |
| ▲ | b112 6 hours ago | parent | prev | next [-] | | It's simple, there's a standard, a new one, which takes into account SPF, DKIM, DMARC, ARC, and even DANE along with upcoming and purposed SPKF, DKIM+, DMARC2, and ARCv4. It should fix just about everything. | | | |
| ▲ | jgalt212 7 hours ago | parent | prev [-] | | Hashcash, or BTC. | | |
| ▲ | ttul 3 hours ago | parent [-] | | I always loved the hashcash concept and actually raised our original funding because of it (our Microsoft angels loved the idea of making spamming more expensive, and our Series A concept was tar-pitting to dissuade botnets). In the context of email sending services, we have a modern version of hashcash that we might at some point turn to. If someone can figure out how to tokenize sending at scale, then senders could pay recipients to open their emails by attaching a "tip" to each message. If even a small fraction of legitimate email recipients altered their mail client settings to route "tipped" messages to their inbox, that would probably suffice to get senders to participate in the scheme. Senders are starved for high quality engagement data. Meanwhile, anything we can do to make spam less likely - on a relative scale - to reach the inbox in comparison to "legitimate" traffic, is a win. |
|
|
| |
| ▲ | pocksuppet 8 hours ago | parent | prev [-] | | Cloudflare acts on lawful requests during LaLiga matches. The problem is that the Spanish government doesn't want to bother doing things the lawful way because that takes too long. They want piracy to magically disappear and they'll randomly shut down more parts of the internet until it does. Actual illegal sports streams are not impacted by Cloudflare being down, and Cloudflare is not the only impacted network. | | |
| ▲ | embedding-shape 4 hours ago | parent [-] | | > problem is that the Spanish government doesn't want to bother doing things the lawful way because that takes too long In Spain, what they are doing, is the "lawful way", it's literally happening via the courts and judges. Do you think ISPs are blocking Cloudflare specifically just for fun, out of their own accord? > Actual illegal sports streams are not impacted by Cloudflare being down, and Cloudflare is not the only impacted network. Some are, many aren't. Cloudflare is indeed the only impacted network, at least for me. Which other networks are being blocked for you during the La Liga matches? | | |
| ▲ | Dylan16807 4 hours ago | parent [-] | | The specific blocks don't go through courts and judges. | | |
| ▲ | embedding-shape 3 hours ago | parent [-] | | Yes, the specific block of blocking Cloudflare in Spain during La Liga matches literally has gone through a court and been ordered by a judge, I'm not sure how you could have missed this. Judges have also dismissed the requests from Cloudflare and others to remove the "dynamic block" as there is collateral damage. | | |
| ▲ | Dylan16807 3 hours ago | parent [-] | | My understanding was that cloudflare was being blocked by the same IP blocking list as everything else. And while that system went through courts, the list didn't. There are also direct actions against cloudflare, but that's not what's taking everything down, is it? Did I misunderstand something? | | |
| ▲ | embedding-shape 2 hours ago | parent [-] | | The sites are directed to be blocked by IP and DNS, this is the list I suppose you're talking about, I'm not sure of any specific "system vs list" distinction. Since some of the sites are behind Cloudflare, some of the IPs are IPs used by Cloudflare for any customer, not just the streams, so then Cloudflare gets blocked wholesale, the collateral damage that we get to joyfully experience every game. Remains to be seen if the block will remain in place or not, you could argue it goes against some other laws, but it has to be argued legally, just like how the block initially happened because La Liga went through the courts. So far us developers or people who visit more American websites tend to be hit the worst, since they're talking about "protecting" other matches too, in other sports, I'm guessing it'll get worse before it gets better. |
|
|
|
|
|
|
|
| |
| ▲ | embedding-shape 9 hours ago | parent | next [-] | | Will you also do this for other spammers using Cloudflare infrastructure, or just specifically for this email product? > For years, Spamhaus has observed abusive activity facilitated by Cloudflare’s various services. Cybercriminals have been exploiting these legitimate services to mask activities and enhance their malicious operations, a tactic referred to as living off trusted services (LOTS) [2]. > With 1201 unresolved Spamhaus Blocklist (SBL) listings [3], it is clear that the state of affairs at Cloudflare’s Connectivity Cloud looks less than optimal from an abuse-handling perspective. 10.05% of all domains listed on Spamhaus’s Domain Blocklist (DBL), which indicates signs of spam or malicious activity, are on Cloudflare nameservers https://www.spamhaus.org/resource-hub/service-providers/too-... | | |
| ▲ | an hour ago | parent | next [-] | | [deleted] | |
| ▲ | Meekro 8 hours ago | parent | prev | next [-] | | I would note that Cloudflare has been doing better-- the SBL listings page mentioned in that article[1] shows only 47 active complaints, down from 1201 when the article was written 2 years ago. Many of those complaints are stale, too: I spot-checked a few (referencing the domains fireplacecoffee.com and expansionus.com) and the domains are expired and not being hosted by anyone. [1] https://check.spamhaus.org/sbl/listings/cloudflare.com/ | | | |
| ▲ | computershit an hour ago | parent | prev [-] | | > 10.05% of all domains listed on Spamhaus’s Domain Blocklist...are on Cloudflare nameservers Not defending spammers, but this comes across a smidge naive considering Cloudflare's overall footprint in the modern internet. |
| |
| ▲ | Bender 8 hours ago | parent | prev | next [-] | | As someone that has managed very large outbound transactional email environments, email campaign platforms and some corporate email I just wanted to wish Cloudflare the best of luck on this endeavor. This is an entirely different animal from anything related to a CDN. Stay vigilant and don't let the cute and fuzzy bunnies ruin it for everyone else. They are evil and mischievous and will do whatever they technically can do. | |
| ▲ | creatonez 4 hours ago | parent | prev | next [-] | | Agent-produced emails are by definition spam. Everyone should be reacting to this news by immediately blocking your service. | | |
| ▲ | ttul 3 hours ago | parent [-] | | Recent outreach after creating an AgentMail account: "Thanks for being a user of AgentMail - a lot of people use AgentMail for outbound (spin up and warm up inboxes, send sequences, handle replies), ..." Yes, that's right. The first use case mentioned is to send automated outbound emails. "Cold prospecting" workflows are likely going to be a big slice of usage on the new Cloudflare service, as it seems to be on AgentMail. |
| |
| ▲ | ttul 3 hours ago | parent | prev | next [-] | | If you take the approach of policing individual sender accounts with a strict anti-abuse policy, you have a chance of succeeding. I'm sure you have already discovered that the moment you allow anyone to sign up for an email sending account, the worst of the worst actors immediately take up the opportunity to do so! Cloudflare has a massive amount of data about web traffic and I would hope that this data can be recycled into effective threat detection and control. No doubt you already know this and have people working on it. Good luck! | |
| ▲ | chinathrow 5 hours ago | parent | prev | next [-] | | > We're well aware of this. Then how about not market it as "for agents" when said agents are just LLM output? | |
| ▲ | themafia 5 hours ago | parent | prev | next [-] | | So what are the thresholds? For example with SES I will get automatically suspended if my bounce rate is more than 10% or if my complaint rate is more than 0.1%. | |
| ▲ | wang_li 8 hours ago | parent | prev [-] | | I think you should put your money where your mouth is. For each spam message sent to a recipient server, you send $1000 to the recipient. | | |
| ▲ | i_think_so an hour ago | parent [-] | | Make that penalty $1 per (so the discussion can be taken seriously) and I will not only support your proposal, I'll volunteer my time and effort in encouraging Congresscritters to vote for it. There are serious financial penalties for robocallers who violate the Do Not Call list (in America, at least). Let's update those laws for the 21st century, shall we? |
|
|
