To clarify — the website owner can fully add Tor to your allow list if you’d like to. That’s entirely your choice if you’re concerned about Tor users being CAPTCHA’d. Also you control the overall security level — so drop it if you’d like to reduce the likelihood of any CAPTCHAs.

Completely agree. I closed the tab as soon as I saw those were the only 2 signup options.

To be clear -- the website owner can always reply to the email they receive from our Trust & Safety team. That goes directly to our team. This individual could also do that if they had further questions for the team.

Hackernews isn't a necessary route, and quite frankly no changes need to be made to existing policies. The individual could directly reach out team via a reply to the email they received. It seems in this case the person just didn't like the reply they received. That's quite different.

So if they didn't like the reply they received, why have they now been reinstated after posting publicly on hn?

Sounds like if nothing is wrong with the policy, then the company is applying the policy inconsistently.

Exactly.

Too often these email replies are automated and nobody looks at them. Even more so they briefly look and just say sorry still banned.

Only when it's raised publicly does somebody ACTUALLY look.

waves author here.

To be clear: I do this research in my free time. This is 100% independent of my $dayjob at Cloudflare.

(1) setup a VPN server at a hosting provider (you pick)

(2) turn off all logging

(3) make it available to the public (you pick how)

(4) get flooded with abuse reports

(5) get shut down by your hosting provider

Hi, I'm the Head of Trust & Safety at Cloudflare. I'd be happy to discuss the specifics of your domain's DNS settings that lead to this if you'd like to email me -- justinATcloudflareDOTcom

This general issue though is addressed here: https://support.cloudflare.com/hc/en-us/articles/200168876-E...

Specifically: "Having an MX record for a root domain proxied through Cloudflare will reveal your origin web server’s IP address to potential attackers. See Why do I have a dc-######### subdomain? for further details."

This support document links to the following other support article on this topic: https://support.cloudflare.com/hc/en-us/articles/36002029651...

This article includes the following quote: "If your mail server resides on the same IP as your web server, your MX record will expose your origin IP address."

Not at all a safe assumption. Ask your host if they are — you’ll probably be surprised by the answer.

The site is broken on iOS Safari with an ad block on. Not a good start. Looks interesting otherwise.

Author of the post here -- happy to answer any questions.

Please open source the code? Would love to run my own site (for a different purpose).

After we resolve all bugs we want to opensource it. If you give us your email we'll let you know when it is available. Here is our GitHub page: https://github.com/TheGurus

justin {at} cloudflaredotcom

Thanks!

p.s. I thought it was lobsters, but it doesn't appear to be ...hence I asked. :)

Consider https://github.com/lobsters/lobsters?

This seems to be what is being used.