Cloudflare has been in front of _every_ phishing site targeting my org for the past year. Their response to reports is always "we're just a pass through, not our problem". The attackers know that CF won't take action against them, and that using CF will slow down any response or takedown request.
Unless CF is actually hosting the site, which is rare, the most they can do is no longer act as pass through. In which case, your problem isn't actually solved, they just move to another provider who offers similar.
You instead want to be talking to browser and search engine providers and reporting there, as well as your government for illegal activities.
They aren't a passthrough, though. That wouldn't be a valuable service. They're providing a service to criminals that assists them in fraud, and refusing to take any action when notified. It adds hours or days to a takedown process. It's like they're standing outside the mall handing the bike thieves branded hacksaws.
We've had better luck getting random Moldovan ISPs to shut down service than we've had in getting CloudFlare to give a damn.
They are quite literally a MITM passthrough. The example you used doesn't make any sense either, it would be more like them handing everyone hacksaws and you getting mad at them over the fact some people are using them for bad things.
Again, get a court order and they'll take action. They are legally required to. Random Moldovan ISPs don't operate at the scale CF does, no wonder they were faster. Probably also easier to bribe as well ;)
> Unless CF is actually hosting the site, which is rare, the most they can do is no longer act as pass through. In which case, your problem isn't actually solved, they just move to another provider who offers similar.
Well, if at least the Big Five (CF, Akamai, AWS, GCP, Azure) could get their shit together and cooperate against the bad actors, using netblocks against hostile IP ranges (both egress and ingress) could start making sense again.
I find that the domain registrar takes action more often than not (I guess because they're bound to ICANN's regulations), then the moment the domain is stopped Cloudflare sends an automated e-mail saying that they don't host the website because the DNS records stopped resolving.
